A critical SQL injection vulnerability in the Ormar ORM for Python allows unauthenticated attackers to exfiltrate sensitive database contents by manipulating aggregate query parameters.

This SQL injection flaw occurs because user-supplied column names are passed directly into sqlalchemy.text() without validation. An unauthenticated attacker can exploit the min() and max() methods to embed raw SQL subqueries into aggregate function calls.

Successful exploitation allows an unauthorized actor to read the entire database, including tables completely unrelated to the application's models. Given the CVSS score of 9.8, this represents a near-total loss of data confidentiality and could lead to significant regulatory non-compliance and reputational damage.

Immediate Action: Administrators must upgrade the Ormar package to version 0.23.0 or later immediately to resolve the unsanitized SQL construction.

Proactive Monitoring: Review database logs for unusual subqueries within aggregate functions and monitor for unexpected data egress patterns.

Compensating Controls: Implement strict input validation at the application layer to ensure only known-good column names are passed to aggregate methods.

Public Exploit Available: false

This vulnerability is categorized as Critical due to the lack of authentication required and the high impact on data confidentiality. Organizations using affected versions of Ormar must prioritize the update to version 0.23.0 to mitigate the risk of full database compromise.