ElectricSQL database takeover vulnerability found by AI (opens in new tab)

(casco.com)

5 pointsbrene27d ago2 comments

2 comments

breneOP27d ago

Rene from Casco here. While our agents were performing a security test, they discovered a database takeover vulnerability. It's a good example of how SQL injection is still a test path that needs to be explicitly be validated. Really want to give props to the ElectricSQL team from issue reported to issue fixed and deployed, it took ~2 hours.

thruflo26d ago

Thanks from the Electric side to the Casco team for the responsible disclosure, comprehensive repro and great communication through the process.

This was a critical one to identify and patch: https://github.com/electric-sql/electric/security/advisories...

Just to repeat for visibility, if you're self-hosting the Electric sync service, upgrade to version >= 1.5.0 immediately.

j / k navigate · click thread line to collapse

2 comments

breneOP27d ago

thruflo26d ago

Thanks from the Electric side to the Casco team for the responsible disclosure, comprehensive repro and great communication through the process.

This was a critical one to identify and patch: https://github.com/electric-sql/electric/security/advisories...

Just to repeat for visibility, if you're self-hosting the Electric sync service, upgrade to version >= 1.5.0 immediately.

j / k navigate · click thread line to collapse