GHSA-v64v-fq96-c5wv: SQL Injection
First published: Wed Apr 23 2025(Updated: )
PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the SQL parser. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the database account. Was ZDI-CAN-25350.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/@posthog/plugin-server | <=1.10.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of GHSA-v64v-fq96-c5wv?
The severity of GHSA-v64v-fq96-c5wv is high due to its potential for remote code execution.
How do I fix GHSA-v64v-fq96-c5wv?
To fix GHSA-v64v-fq96-c5wv, upgrade the @posthog/plugin-server package to version 1.10.8 or later.
Who can exploit GHSA-v64v-fq96-c5wv?
Network-adjacent attackers with authentication can exploit GHSA-v64v-fq96-c5wv.
What software is affected by GHSA-v64v-fq96-c5wv?
The affected software includes the @posthog/plugin-server package up to version 1.10.7.
What type of vulnerability is GHSA-v64v-fq96-c5wv?
GHSA-v64v-fq96-c5wv is a SQL Injection vulnerability that allows remote code execution.
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-v64v-fq96-c5wv
- alias/CVE-2025-1520
- agent/software-canonical-lookup
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/source
- agent/type
- agent/description
- agent/tags
- agent/first-publish-date
- agent/severity
- agent/event
- package-manager/npm