CVE-2025-50468
📋 TL;DR
OpenMetadata versions up to 1.4.4 contain a SQL injection vulnerability in the DocStoreDAO interface's listCount function. Attackers can exploit this by manipulating the entityType parameter to execute arbitrary SQL queries and extract sensitive database information. This affects all deployments running vulnerable versions of OpenMetadata.
💻 Affected Systems
- OpenMetadata
📦 What is this software?
Openmetadata by Open Metadata
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise allowing extraction of all stored metadata, credentials, and sensitive configuration data, potentially leading to complete system takeover.
Likely Case
Extraction of sensitive metadata, user information, and configuration details from the database, enabling further attacks or data exfiltration.
If Mitigated
Limited data exposure if proper input validation and database permissions are in place, but still represents a significant security risk.
🎯 Exploit Status
Exploitation requires understanding of the API endpoints and SQL injection techniques, but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 1.4.4
Vendor Advisory: https://github.com/open-metadata/OpenMetadata/security/advisories
Restart Required: No
Instructions:
1. Upgrade OpenMetadata to version 1.4.5 or later. 2. Review the patch in CollectionDAO.java lines 4411-4412. 3. Deploy the updated version following standard deployment procedures.
🔧 Temporary Workarounds
Input Validation Filter
allImplement a web application firewall or proxy that validates and sanitizes entityType parameter inputs
Database Permission Reduction
allRestrict database user permissions to read-only for the OpenMetadata application account
🧯 If You Can't Patch
- Implement strict input validation for all entityType parameters at the application level
- Deploy a WAF with SQL injection protection rules and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check OpenMetadata version via admin interface or by examining deployment configuration. Versions <=1.4.4 are vulnerable.Check Version:
Check OpenMetadata UI admin panel or deployment configuration files for version informationVerify Fix Applied:
Verify version is >1.4.4 and review CollectionDAO.java to ensure proper parameterized queries are used in listCount function.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests with malformed entityType parameters
- Error logs showing SQL syntax errors
Network Indicators:
- HTTP requests with SQL injection patterns in entityType parameter
- Unusual data extraction patterns from OpenMetadata API
SIEM Query:
source="openmetadata" AND (entityType CONTAINS "UNION" OR entityType CONTAINS "SELECT" OR entityType CONTAINS "--")🔗 References
- https://gist.github.com/javadk/0be29d2bb5a971bc09f3410659c83308
- https://github.com/open-metadata/OpenMetadata/blob/4b9145a9da7ed95b7f868ab9f351e3d759af47d7/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/CollectionDAO.java#L4411
- https://github.com/open-metadata/OpenMetadata/blob/4b9145a9da7ed95b7f868ab9f351e3d759af47d7/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/CollectionDAO.java#L4412
