Cyber Resilience

CVE-2022-38488

CriticalPublic PoC

Published: 14 December 2022

Published
14 December 2022
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0092 76.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-38488 is a critical-severity SQL Injection (CWE-89) vulnerability in Logrocket-Oauth2-Example Project Logrocket-Oauth2-Example. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 23.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-38488 is a SQL injection vulnerability in the logrocket-oauth2-example project through version dated 2020-05-27. The flaw exists in the handling of the username parameter submitted to the /auth/register endpoint and is tracked under CWE-89. The component is an example Node.js OAuth 2.0 implementation originally published via a LogRocket blog post.

Unauthenticated remote attackers can supply crafted input over the network to the registration endpoint, enabling arbitrary SQL command execution. Successful exploitation yields full read, write, and delete access to the underlying database along with potential impact on confidentiality, integrity Availability, consistent with the CVSS 9.8 rating.

Public references include the original project repository, the LogRocket tutorial, archived snapshots of the vulnerable code, and a separate GitHub repository containing proof-of-concept material for the injection. No vendor-issued patches or official mitigation guidance appear among the listed references. The EPSS score rose from a low baseline to a peak of 0.0747 before receding to the current value of 0.0092.

EU & UK References

Vulnerability details

logrocket-oauth2-example through 2020-05-27 allows SQL injection via the /auth/register username parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

logrocket-oauth2-example project
logrocket-oauth2-example
≤ 2020-05-27

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References