Critical SOQL Injection 0-Day Vulnerability in Salesforce Affects Millions Worldwide
- С сайта: Zero-Day(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Zero-Day(cybersecuritynews.com)
A critical zero-day vulnerability discovered in Salesforce‘s default controller has exposed millions of user records across thousands of deployments worldwide.
The security flaw, found in the built-in aura://CsvDataImportResourceFamilyController/ACTION$getCsvAutoMap controller, allowed attackers to extract sensitive user information and document details through SOQL injection techniques.
SOQL Injection 0-Day Vulnerability
The vulnerability was discovered while conducting automated fuzzing tests on Aura controllers present in Salesforce deployments.
A custom parser and fuzzer was developed to test hundreds of endpoints by mutating input parameters across the application’s app.js file, which conveniently defines controller descriptors and required arguments.
According to security researcher Tobia Righi, the breakthrough came when the fuzzer returned an unexpected error message revealing unsafe parameter handling: “MALFORMED_QUERY: \nContentVersion WHERE ContentDocumentId = ”’\n ERROR at Row:1:Column:239\nunexpected token: ”'”.
This error indicated that the contentDocumentId parameter was being directly embedded into SOQL queries without proper sanitization, creating a pathway for injection attacks.
Despite SOQL’s inherent restrictions compared to traditional SQL injection vulnerabilities, the researcher successfully developed an exploitation technique using error-based blind injection methods.
The attack leveraged response discrepancies between valid and invalid queries to extract sensitive database information.
The technique exploited different server responses: successful subqueries returned “Cannot invoke “common.udd.EntityInfo.getEntityId()” because “ei” is null”, while unsuccessful ones returned “Error in retrieving content document”.
The researcher enhanced the attack by incorporating Salesforce ID generation techniques, using existing scripts to generate thousands of valid contentDocumentId values starting with the prefix “069”.
This allowed systematic extraction of document names, descriptions, and user details from both public and private ContentDocument objects across the platform.
Patch Released
After reporting the vulnerability to an affected organization, the researcher learned that the vulnerable controller was actually part of Salesforce’s default installation, not custom code.
When subsequently reported to Salesforce in late February 2025, the company quietly patched the vulnerability without issuing a public advisory, CVE designation, or acknowledgment in release notes.
The vulnerability’s impact extends far beyond individual organizations, as the affected controller was present in all Salesforce deployments by default.
The silent patching approach, while resolving the immediate security risk, has left the security community without official guidance on detection methods or potential indicators of compromise from the vulnerability’s exploitation window.
#Cyber_Security #Cyber_Security_News #Vulnerability #Zero-Day #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Critical SOQL Injection 0-Day Vulnerability in Salesforce Affects Millions Worldwide
Author: Guru BaranA critical zero-day vulnerability discovered in Salesforce‘s default controller has exposed millions of user records across thousands of deployments worldwide.
The security flaw, found in the built-in aura://CsvDataImportResourceFamilyController/ACTION$getCsvAutoMap controller, allowed attackers to extract sensitive user information and document details through SOQL injection techniques.
SOQL Injection 0-Day Vulnerability
The vulnerability was discovered while conducting automated fuzzing tests on Aura controllers present in Salesforce deployments.
A custom parser and fuzzer was developed to test hundreds of endpoints by mutating input parameters across the application’s app.js file, which conveniently defines controller descriptors and required arguments.
According to security researcher Tobia Righi, the breakthrough came when the fuzzer returned an unexpected error message revealing unsafe parameter handling: “MALFORMED_QUERY: \nContentVersion WHERE ContentDocumentId = ”’\n ERROR at Row:1:Column:239\nunexpected token: ”'”.
This error indicated that the contentDocumentId parameter was being directly embedded into SOQL queries without proper sanitization, creating a pathway for injection attacks.
Despite SOQL’s inherent restrictions compared to traditional SQL injection vulnerabilities, the researcher successfully developed an exploitation technique using error-based blind injection methods.
The attack leveraged response discrepancies between valid and invalid queries to extract sensitive database information.
The technique exploited different server responses: successful subqueries returned “Cannot invoke “common.udd.EntityInfo.getEntityId()” because “ei” is null”, while unsuccessful ones returned “Error in retrieving content document”.
The researcher enhanced the attack by incorporating Salesforce ID generation techniques, using existing scripts to generate thousands of valid contentDocumentId values starting with the prefix “069”.
This allowed systematic extraction of document names, descriptions, and user details from both public and private ContentDocument objects across the platform.
Patch Released
After reporting the vulnerability to an affected organization, the researcher learned that the vulnerable controller was actually part of Salesforce’s default installation, not custom code.
When subsequently reported to Salesforce in late February 2025, the company quietly patched the vulnerability without issuing a public advisory, CVE designation, or acknowledgment in release notes.
The vulnerability’s impact extends far beyond individual organizations, as the affected controller was present in all Salesforce deployments by default.
The silent patching approach, while resolving the immediate security risk, has left the security community without official guidance on detection methods or potential indicators of compromise from the vulnerability’s exploitation window.
#Cyber_Security #Cyber_Security_News #Vulnerability #Zero-Day #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
