CVE-2024-35181 – A SQL injection vulnerability in Meshery versio... (How to Fix)

Q: What is the severity of CVE-2024-35181?

CVE-2024-35181 has a CVSS score of 5.9 (MEDIUM). A SQL injection vulnerability in Meshery versions prior to 0.7.22 allows attackers to execute arbitrary SQL commands via the 'order' query parameter in the GetMeshSyncResourcesKinds API endpoint. This can lead to arbitrary file writes, data theft, and modification of sensitive configuration data. All Meshery deployments running vulnerable versions are affected.

📋 TL;DR

A SQL injection vulnerability in Meshery versions prior to 0.7.22 allows attackers to execute arbitrary SQL commands via the 'order' query parameter in the GetMeshSyncResourcesKinds API endpoint. This can lead to arbitrary file writes, data theft, and modification of sensitive configuration data. All Meshery deployments running vulnerable versions are affected.

💻 Affected Systems

Products:

Meshery

Versions: All versions prior to 0.7.22

Operating Systems: All platforms running Meshery

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default API endpoint /api/system/meshsync/resources/kinds and requires no special configuration to be exploitable.

📦 What is this software?

Meshery by Layer5

View all CVEs affecting Meshery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can write arbitrary files to the server, steal session cookies from performance profiles, access Kubernetes configurations, and potentially achieve remote code execution through file manipulation.

🟠

Likely Case

Attackers can extract sensitive data from the database including performance profiles, application data, and Kubernetes configurations, potentially leading to lateral movement within the infrastructure.

🟢

If Mitigated

With proper input validation and parameterized queries, the SQL injection would be prevented, limiting impact to normal API functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a publicly accessible API endpoint and SQL injection exploitation is well-understood with many available tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.22

Vendor Advisory: https://github.com/meshery/meshery/security/advisories

Restart Required: Yes

Instructions:

1. Stop Meshery service. 2. Update to version 0.7.22 or later using your deployment method (Docker, Kubernetes, etc.). 3. Restart Meshery service. 4. Verify the fix by checking the version and testing the vulnerable endpoint.

🔧 Temporary Workarounds

API Endpoint Restriction

all

Block or restrict access to the vulnerable API endpoint using network controls or web application firewall rules.

# Example nginx location block
location /api/system/meshsync/resources/kinds {
    deny all;
    return 403;
}

Input Validation Filter

all

Implement input validation at the proxy/WAF level to reject SQL injection patterns in the 'order' parameter.

# Example ModSecurity rule
SecRule ARGS:order "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"

🧯 If You Can't Patch

Implement strict network segmentation to limit access to Meshery API endpoints to trusted sources only.
Deploy a web application firewall (WAF) with SQL injection protection rules in front of Meshery.

🔍 How to Verify

Check if Vulnerable:

Check if Meshery version is below 0.7.22 and test the /api/system/meshsync/resources/kinds endpoint with SQL injection payloads in the 'order' parameter.

Check Version:

mesheryctl version or check Meshery UI dashboard for version information

Verify Fix Applied:

After patching, verify version is 0.7.22 or higher and test that SQL injection payloads no longer execute successfully.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed attempts to /api/system/meshsync/resources/kinds
ATTACH DATABASE commands in SQL logs

Network Indicators:

SQL keywords in HTTP GET parameters
Unusual patterns of requests to the vulnerable endpoint
Stacked query patterns in HTTP traffic

SIEM Query:

source="meshery" AND (url="/api/system/meshsync/resources/kinds" AND (param="order" AND value MATCHES "(?i)(SELECT|UNION|ATTACH|--|;)"))

📊 Metadata

CVE ID: CVE-2024-35181

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-89

Published: May 27, 2024

Last Updated: September 2, 2025

🔗 References

https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/handlers/meshsync_handler.go#L187 Product
https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13 Patch
https://github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc4420c Patch
https://github.com/meshery/meshery/pull/10207 Issue Tracking,Patch
https://github.com/meshery/meshery/pull/10280 Issue Tracking,Patch
https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/ Exploit,Third Party Advisory
https://github.com/meshery/meshery/blob/b331f45c9083d7abf6b90105072b04cd22473de7/server/handlers/meshsync_handler.go#L187 Product
https://github.com/meshery/meshery/commit/8e995ce21af02d32ef61689c1e1748a745917f13 Patch
https://github.com/meshery/meshery/commit/b55f6064d0c6a965aee38f30281f99da7dc4420c Patch
https://github.com/meshery/meshery/pull/10207 Issue Tracking,Patch
https://github.com/meshery/meshery/pull/10280 Issue Tracking,Patch
https://securitylab.github.com/advisories/GHSL-2024-013_GHSL-2024-014_Meshery/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35181, you might also want to check these: