Listen to this Post
In PowerSync version 1.20.0, a vulnerability exists in the new sync streams feature when config.edition is set to 3. The issue causes certain subquery filters to be ignored during the data synchronization process. Specifically, subqueries that are used solely to determine whether a table should be synced—without partitioning the result set—are not evaluated correctly. As a result, all authenticated users receive data that should have been restricted to authorized users only. For example, a query like `SELECT FROM sensitive_table WHERE auth.user_id() IN (SELECT user_id FROM admins)` is intended to sync the table only to admin users. However, in the affected version, this filter is ignored, and every authenticated user syncs the table. The flaw does not affect sync rules (bucket_definitions) or sync streams using config.edition: 2. Only queries that gate synchronization using subqueries without partitioning are vulnerable. The issue arises from improper handling of subquery conditions in the sync stream logic. No authentication bypass occurs; only authenticated users can exploit it, but they gain access to data they shouldn’t see. The vulnerability is fixed in version 1.20.1 by correcting the subquery evaluation. Upon upgrading and restarting, any mistakenly synced data is automatically removed from client devices when they reconnect. PowerSync Cloud instances have been updated, and self-hosted users must upgrade. Examples of vulnerable queries include those with subqueries that check for admin status or allowed tables without partitioning the result set. Queries that partition data, such as those including owner IN (SELECT id FROM users WHERE ...), are not affected. This vulnerability underscores the importance of thorough testing of access control mechanisms in data synchronization platforms.
Platform: PowerSync
Version: 1.20.0
Vulnerability: Subquery filter bypass
Severity: Critical
Date: Unknown
Prediction: Fixed in 1.20.1
What Undercode Say:
Analytics:
- Check PowerSync version: `powersync –version` or `docker exec
powersync –version`
– Restart PowerSync service after upgrade: `sudo systemctl restart powersync` or `docker restart`
– Example vulnerable query: `SELECT FROM sensitive_table WHERE auth.user_id() IN (SELECT user_id FROM admins);`
– Example safe query (partitioned): `SELECT FROM sensitive_table WHERE owner IN (SELECT id FROM users WHERE is_admin AND id = auth.user_id());`
– Simulate exploit: Authenticate as a non-admin user and attempt to sync data from a table restricted by the vulnerable query pattern; observe if data is received.
How Exploit:
An authenticated attacker can exploit this by connecting to a PowerSync instance running version 1.20.0 with config.edition: 3 and a sync stream that uses a vulnerable subquery filter. The attacker will receive full table data intended only for privileged users, as the subquery condition is ignored. No additional authentication or action is required beyond normal synchronization.
Protection from this CVE:
Upgrade PowerSync to version 1.20.1 immediately. For self-hosted instances, download the latest version and restart the service. For PowerSync Cloud, no action is needed as instances are already patched. After upgrading, any erroneously synced data will be automatically removed from client devices upon their next connection. Ensure all sync streams are reviewed to avoid using vulnerable query patterns.
Impact:
Authenticated users can sync restricted data they are not authorized to access, leading to unauthorized exposure of sensitive information. This can result in data breaches, privilege escalation, and compliance violations. The vulnerability does not allow unauthenticated access but affects all users with valid authentication.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

