CVE-2022-38488
Published: 14 December 2022
Summary
CVE-2022-38488 is a critical-severity SQL Injection (CWE-89) vulnerability in Logrocket-Oauth2-Example Project Logrocket-Oauth2-Example. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 23.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-38488 is a SQL injection vulnerability in the logrocket-oauth2-example project through version dated 2020-05-27. The flaw exists in the handling of the username parameter submitted to the /auth/register endpoint and is tracked under CWE-89. The component is an example Node.js OAuth 2.0 implementation originally published via a LogRocket blog post.
Unauthenticated remote attackers can supply crafted input over the network to the registration endpoint, enabling arbitrary SQL command execution. Successful exploitation yields full read, write, and delete access to the underlying database along with potential impact on confidentiality, integrity Availability, consistent with the CVSS 9.8 rating.
Public references include the original project repository, the LogRocket tutorial, archived snapshots of the vulnerable code, and a separate GitHub repository containing proof-of-concept material for the injection. No vendor-issued patches or official mitigation guidance appear among the listed references. The EPSS score rose from a low baseline to a peak of 0.0747 before receding to the current value of 0.0092.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-41071
Vulnerability details
logrocket-oauth2-example through 2020-05-27 allows SQL injection via the /auth/register username parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.