An authenticated SQL injection vulnerability in the ElectricSQL sync engine allows attackers to perform full database manipulation.

The vulnerability resides in the order_by parameter of the /v1/shape API, where insufficient validation allows an authenticated user to inject malicious SQL queries into the underlying PostgreSQL database.

With a CVSS score of 9.9, this vulnerability allows an authenticated attacker to bypass all database access controls. This results in a high risk of data destruction, unauthorized data exfiltration, and full database compromise, which could lead to severe operational disruption and regulatory non-compliance.

Immediate Action: Upgrade ElectricSQL to version 1.5.0 or later to patch the vulnerable API endpoint.

Proactive Monitoring: Examine database audit logs for anomalous query patterns or unexpected data modification attempts.

Compensating Controls: Enforce strict API authentication and rate-limiting, and ensure the database service account operates with the minimum required privileges.

Public Exploit Available: Unknown

This vulnerability represents a critical threat to database integrity. Given that the impact includes the ability to destroy data, administrators must prioritize updating to version 1.5.0 and perform an immediate review of database access logs for signs of suspicious activity.