GHSA-VMW2-QWM8-X84C

Vulnerability from github – Published: 2026-05-14 20:46 – Updated: 2026-05-14 20:46
VLAI
Summary
Marten has an injection vulnerability in its full-text search regConfig parameter
Details

Summary

Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink.

Affected APIs

  • IQuerySession.SearchAsync<T>(string searchTerm, string regConfig, ...)
  • IQuerySession.PlainTextSearchAsync<T>(...)
  • IQuerySession.PhraseSearchAsync<T>(...)
  • IQuerySession.WebStyleSearchAsync<T>(...)
  • IQuerySession.PrefixSearchAsync<T>(...)
  • IQueryable<T>.Where(x => x.Search(term, regConfig)) and the matching PlainTextSearch / PhraseSearch / WebStyleSearch / PrefixSearch extension methods

Details

In the affected versions, FullTextWhereFragment renders the WHERE-clause SQL by string interpolation:

private string Sql =>
    $"to_tsvector('{_regConfig}'::regconfig, {_dataConfig}) @@ {_searchFunction}('{_regConfig}'::regconfig, ?)";

_regConfig arrives unchanged from the public API surface above. Any value containing a single quote terminates the SQL literal and lets an attacker append arbitrary PostgreSQL.

Confirmed exploit shapes (with regConfig set to attacker-controlled input)

Goal Payload
Time-based blind english'::text); SELECT pg_sleep(5); --
Information disclosure english'; SELECT version(); --
DDL execution english'; DROP TABLE mt_doc_article; --

All five overloads listed above produced SQL containing the verbatim payload.

Impact

  • Confidentiality: an attacker can append arbitrary SELECT statements and exfiltrate database contents through error channels, response timing, or — if the application surfaces query results — directly.
  • Integrity / Availability: DDL, UPDATE, DELETE, and pg_sleep-style denial-of-service payloads succeed under the same vector. Concrete impact depends on the database role used by the Marten connection string.
  • Precondition: the calling application must forward attacker-controlled input into the regConfig parameter (e.g. a ?lang= query string mapped to regConfig). Applications that hard-code regConfig to a compile-time constant are not exploitable.

Patches

Fixed in Marten 8.36.1 (and forward) by #4343.

FullTextWhereFragment now validates regConfig against ^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*)?$ (a simple PostgreSQL identifier, optionally schema-qualified, capped at NAMEDATALEN-1 per side) and throws ArgumentException for anything else. The default value ("english"), schema-qualified configs ("pg_catalog.english"), and the standard PostgreSQL text-search configurations all continue to work.

Workarounds

If users cannot upgrade immediately, do one of the following at the application boundary:

  1. Hard-code regConfig to a compile-time constant ("english", "simple", …) and never accept it from request input.
  2. Validate any externally-sourced regConfig value before passing it to Marten — e.g. against the same regex as the patch (^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*)?$) or against an allowlist of PostgreSQL configurations the application actually uses.
  3. Drop the regConfig argument from the call site so Marten falls back to the safe default.

Resources

Credit

Reported privately to the JasperFx team with a working proof of concept covering all five affected overloads.

Severity
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.36"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Marten"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.37.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:46:26Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nMarten\u0027s full-text search APIs interpolated the user-supplied `regConfig` parameter directly into the generated SQL without parameterization or validation, making every code path that exposes `regConfig` to untrusted input a SQL injection sink.\n\n## Affected APIs\n\n- `IQuerySession.SearchAsync\u003cT\u003e(string searchTerm, string regConfig, ...)`\n- `IQuerySession.PlainTextSearchAsync\u003cT\u003e(...)`\n- `IQuerySession.PhraseSearchAsync\u003cT\u003e(...)`\n- `IQuerySession.WebStyleSearchAsync\u003cT\u003e(...)`\n- `IQuerySession.PrefixSearchAsync\u003cT\u003e(...)`\n- `IQueryable\u003cT\u003e.Where(x =\u003e x.Search(term, regConfig))` and the matching `PlainTextSearch` / `PhraseSearch` / `WebStyleSearch` / `PrefixSearch` extension methods\n\n## Details\n\nIn the affected versions, [`FullTextWhereFragment`](https://github.com/JasperFx/marten/blob/master/src/Marten/Linq/SqlGeneration/Filters/FullTextWhereFragment.cs) renders the WHERE-clause SQL by string interpolation:\n\n```csharp\nprivate string Sql =\u003e\n    $\"to_tsvector(\u0027{_regConfig}\u0027::regconfig, {_dataConfig}) @@ {_searchFunction}(\u0027{_regConfig}\u0027::regconfig, ?)\";\n```\n\n`_regConfig` arrives unchanged from the public API surface above. Any value containing a single quote terminates the SQL literal and lets an attacker append arbitrary PostgreSQL.\n\n### Confirmed exploit shapes (with `regConfig` set to attacker-controlled input)\n\n| Goal | Payload |\n| --- | --- |\n| Time-based blind | `english\u0027::text); SELECT pg_sleep(5); --` |\n| Information disclosure | `english\u0027; SELECT version(); --` |\n| DDL execution | `english\u0027; DROP TABLE mt_doc_article; --` |\n\nAll five overloads listed above produced SQL containing the verbatim payload.\n\n## Impact\n\n- **Confidentiality**: an attacker can append arbitrary `SELECT` statements and exfiltrate database contents through error channels, response timing, or \u2014 if the application surfaces query results \u2014 directly.\n- **Integrity / Availability**: DDL, `UPDATE`, `DELETE`, and `pg_sleep`-style denial-of-service payloads succeed under the same vector. Concrete impact depends on the database role used by the Marten connection string.\n- **Precondition**: the calling application must forward attacker-controlled input into the `regConfig` parameter (e.g. a `?lang=` query string mapped to `regConfig`). Applications that hard-code `regConfig` to a compile-time constant are not exploitable.\n\n## Patches\n\nFixed in **Marten 8.36.1** (and forward) by [#4343](https://github.com/JasperFx/marten/pull/4343).\n\n`FullTextWhereFragment` now validates `regConfig` against `^[a-zA-Z_][a-zA-Z0-9_]*(\\.[a-zA-Z_][a-zA-Z0-9_]*)?$` (a simple PostgreSQL identifier, optionally schema-qualified, capped at `NAMEDATALEN-1` per side) and throws `ArgumentException` for anything else. The default value (`\"english\"`), schema-qualified configs (`\"pg_catalog.english\"`), and the standard PostgreSQL text-search configurations all continue to work.\n\n## Workarounds\n\nIf users cannot upgrade immediately, do **one** of the following at the application boundary:\n\n1. Hard-code `regConfig` to a compile-time constant (`\"english\"`, `\"simple\"`, \u2026) and never accept it from request input.\n2. Validate any externally-sourced `regConfig` value before passing it to Marten \u2014 e.g. against the same regex as the patch (`^[a-zA-Z_][a-zA-Z0-9_]*(\\.[a-zA-Z_][a-zA-Z0-9_]*)?$`) or against an allowlist of PostgreSQL configurations the application actually uses.\n3. Drop the `regConfig` argument from the call site so Marten falls back to the safe default.\n\n## Resources\n\n- Patch PR: [JasperFx/marten#4343](https://github.com/JasperFx/marten/pull/4343)\n- Patched file: [`FullTextWhereFragment.cs`](https://github.com/JasperFx/marten/blob/master/src/Marten/Linq/SqlGeneration/Filters/FullTextWhereFragment.cs)\n- Regression tests: [`full_text_regconfig_sql_injection.cs`](https://github.com/JasperFx/marten/blob/master/src/LinqTests/Bugs/full_text_regconfig_sql_injection.cs)\n- CWE-89: \u003chttps://cwe.mitre.org/data/definitions/89.html\u003e\n\n## Credit\n\nReported privately to the JasperFx team with a working proof of concept covering all five affected overloads.",
  "id": "GHSA-vmw2-qwm8-x84c",
  "modified": "2026-05-14T20:46:26Z",
  "published": "2026-05-14T20:46:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/JasperFx/marten/security/advisories/GHSA-vmw2-qwm8-x84c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JasperFx/marten/pull/4343"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JasperFx/marten/commit/626249656829860b9c55895b5b6046b61a2a695f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/JasperFx/marten"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Marten has an injection vulnerability in its full-text search regConfig parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.