Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-h374-mm57-879c

HIGH

Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)

Also known asCVE-2024-22196GO-2024-2463
Published
Jan 11, 2024
Updated
Feb 22, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
1 known

EPSS Exploitation Probability

via FIRST.org ↗
0.6%probability of exploitation in next 30 days
Lower Risk43th percentile-0.09%
0.08%0.45%0.81%1.17%0.7%0.6%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐹github.com/0xJacky/Nginx-UI

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The OrderAndPaginate function is used to order and paginate data. It is defined as follows:

func OrderAndPaginate(c *gin.Context) func(db *gorm.DB) *gorm.DB {
	return func(db *gorm.DB) *gorm.DB {
		sort := c.DefaultQuery("order", "desc")

		order := fmt.Sprintf("`%s` %s", DefaultQuery(c, "sort_by", "id"), sort)
		db = db.Order(order)

		...
	}
}

By using DefaultQuery, the "desc" and "id" values are used as default values if the query parameters are not set. Thus, the order and sort_by query parameter are user-controlled and are being appended to the order variable without any sanitization. The same happens with SortOrder, but it doesn't seem to be used anywhere.

func SortOrder(c *gin.Context) func(db *gorm.DB) *gorm.DB {
	return func(db *gorm.DB) *gorm.DB {
		sort := c.DefaultQuery("order", "desc")
		order := fmt.Sprintf("`%s` %s", DefaultQuery(c, "sort_by", "id"), sort)
		return db.Order(order)
	}
}

This issue was found using CodeQL for Go: Database query built from user-controlled sources.

Proof of Concept

Based on this setup using uozi/nginx-ui:v2.0.0-beta.7. In order to exploit this issue, we need to find a place where the OrderAndPaginate function is used. We can find it in the GET /api/dns_credentials endpoint.

func GetDnsCredentialList(c *gin.Context) {
	cosy.Core[model.DnsCredential](c).SetFussy("provider").PagingList()
}

The PagingList function is defined as follows:

func (c *Ctx[T]) PagingList() {
	data, ok := c.PagingListData()
	if ok {
		c.ctx.JSON(http.StatusOK, data)
	}
}

And the PagingListData function is defined as follows:

func (c *Ctx[T]) PagingListData() (*model.DataList, bool) {
	result, ok := c.result()
	if !ok {
		return nil, false
	}

	result = result.Scopes(c.OrderAndPaginate())
	...
}

Using the following request, an attacker can retrieve arbitrary values by checking the order used by the query. That is, the result of the comparison will make the response to be ordered in a specific way.

GET /api/dns_credentials?sort_by=(CASE+WHEN+(SELECT+1)=1+THEN+id+ELSE+updated_at+END)+ASC+--+ HTTP/1.1
Host: 127.0.0.1:8080
Authorization: <<JWT TOKEN>

You can notice the order change by changing =1 to =2, and so the comparison will return false and the order will be updated_at instead of id.

Impact

This issue may lead to Information Disclosure

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/0xJacky/Nginx-UIall versions2.0.0.beta.9
Exploits & PoCs
1

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

Nginx-UI is an online statistics for Server Indicators?? Monitor CPU usa…

github.comNVDJan 2024

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/0xJacky/Nginx-UI. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/0xJacky/Nginx-UI to 2.0.0.beta.9 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-h374-mm57-879c is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-h374-mm57-879c is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-h374-mm57-879c. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary The [`OrderAndPaginate`](https://github.com/0xjacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/model/model.go#L99C4) function is used to order and paginate data. It is defined as follows: ```go func OrderAndPaginate(c *gin.Context) func(db *gorm.DB) *gorm.DB { return func(db *gorm.DB) *gorm.DB { sort := c.DefaultQuery("order", "desc") order := fmt.Sprintf("`%s` %s", DefaultQuery(c, "sort_by", "id"), sort) db = db.Order(order) ... } } ``` By using [`DefaultQuery`](https://github.com/0xjacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/model/model.go
O3 Security · Impact-Aware SCA

Is GHSA-h374-mm57-879c in your dependencies?

O3 detects GHSA-h374-mm57-879c across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works