Kolega.dev is an AI-powered security vulnerability detection and automated code remediation engine that applies semantic code intelligence to detect and fix complex vulnerabilities in your codebase.

What types of vulnerabilities can Kolega.dev detect?

Kolega.dev can detect a wide range of vulnerabilities including SQL injection, XSS, CORS misconfigurations, race conditions, authentication flaws, and complex logic vulnerabilities that standard SAST tools miss.

How does Kolega.dev differ from traditional SAST tools?

Kolega.dev uses deep semantic analysis and AI to understand code intent and logic flow, not just pattern matching. It provides 0% overlap with standard SAST scanners and can detect complex vulnerabilities across service boundaries.

Executive Summary

This security assessment was conducted using Kolega.dev's automated security remediation platform, which combines traditional security scanning (SAST, SCA, secrets detection) with proprietary AI-powered deep code analysis. Our two-tier detection approach identified vulnerabilities that standard tools miss, including complex logic flaws and cross-service injection vectors.

Our analysis of the NocoDB repository identified 5 vulnerabilities through Kolega.dev Deep Code Scan (Tier 2) and 14 findings through traditional SAST scanning (Tier 1) that warrant attention. Following responsible disclosure practices and after the SLA period expired without response, verified fixes for all critical and high severity vulnerabilities have been submitted as public pull requests. Fixes have been implemented by NocoDB on their own internal private branches.

Vulnerability Overview

ID	Title	Severity	Exploitable	Requires
V1	SQL Injection in Oracle Client	Critical	Yes	Org Creator+ role
V2	WebSocket Authentication Bypass	Low (OSS) / High (Enterprise)	Yes	None
V3	SSRF in Attachment Upload	High	Yes	Editor+ role
V4	SSRF in uploadViaURL	High	Yes	Upload permission
V5	Information Disclosure in Errors	Medium	Yes	Editor+ role

Responsible Disclosure Timeline

Kolega.dev follows responsible disclosure practices. We attempted to coordinate privately through NocoDB's official security reporting channel before proceeding with public disclosure.

December 10, 2025	Initial responsible disclosure sent to security@nocodb.com Full technical details, reproduction steps, and proposed fixes submitted through official security reporting channel.
December 16, 2025	Follow-up sent noting the approaching 7-day SLA Reminder sent as published response timeframe was approaching without acknowledgment.
December 19, 2025	Public disclosure proceeding per responsible disclosure practices After exceeding published SLA without acknowledgment, proceeding with public disclosure to ensure community protection.
December 19, 2025	Deep Scan vulnerability fixes submitted as public PRs Five pull requests submitted with verified fixes for all Tier 2 vulnerabilities identified by Kolega.dev Deep Code Scan.

Submitted Pull Requests - Deep Scan Vulnerabilities (Tier 2)

Fixes Available: After the disclosure SLA period expired without response, Kolega.dev submitted verified fixes for all critical and high severity vulnerabilities as public pull requests. These PRs contain ready-to-deploy security fixes.

VulnID	PR#	Title	Link
V1	#12748	fix(security): V1 - resolve SQL injection vulnerabilities in Oracle client SQL Injection in Oracle Client	View PR
V2	#12749	fix(security): V2 - properly validate WebSocket authentication in gateway middleware WebSocket Authentication Bypass	View PR
V3	#12750	fix(security): V3 - add SSRF protection to attachment URL upload SSRF in Attachment Upload	View PR
V4	#12751	fix(security): V4 - apply SSRF protection to axios.head() in uploadViaURL SSRF in uploadViaURL	View PR
V5	#12752	fix(security): V5 - sanitize error messages in base64 attachment processing Information Disclosure in Errors	View PR

V1 - SQL Injection in Oracle Client

Location: packages/nocodb/src/db/sql-client/lib/oracle/OracleClient.ts
Affected lines: 169, 325, 345, 399, 538, 563, 637, 683-685, 755, 808, 862, 909, 955, 995, 1035, 1081, 1123
Classification: CWE-89
Requirements: Org Creator+ role

Description
The Oracle database client concatenates user-controlled parameters directly into SQL queries without parameterization. This affects multiple operations including user existence checks, table enumeration, and schema introspection.

Impact

Execute arbitrary SQL commands on Oracle databases
Exfiltrate sensitive data
Escalate to DBA privileges
Achieve complete database compromise

Recommended Fix
Replace string concatenation with parameterized queries using Oracle bind variables. Apply this pattern to all 17 affected lines using Knex built-in parameterization where available.

V2 - WebSocket Authentication Bypass

Location: packages/nocodb/src/gateways/socket.gateway.ts
Affected lines: 52-59
Classification: CWE-287
Requirements: None

Description
The WebSocket authentication middleware silently catches all errors and unconditionally allows connections, regardless of authentication status.

Impact

OSS: WebSocket only handles telemetry events, can pollute analytics data
EE: Real-time data sync implemented, attackers receive database updates
Session hijacking and data exfiltration possible in Enterprise
Allows connections with missing, invalid, or expired tokens

Recommended Fix
Properly validate authentication status and reject unauthorized connections with proper error propagation

V3 - SSRF in Attachment Upload

Location: packages/nocodb/src/services/v3/data-attachment-v3.service.ts
Affected lines: 373-379
Classification: CWE-918
Requirements: Editor+ role

Description
The downloadAndStoreAttachment function accepts user-supplied URLs without SSRF protection, allowing authenticated users to make arbitrary HTTP requests from the server.

Impact

Access cloud metadata endpoints (AWS/GCP/Azure credentials)
Scan internal network services
Reach internal APIs and databases
Potentially chain to RCE via vulnerable internal services

Recommended Fix
Add request-filtering-agent protection using existing project dependency with httpAgent and httpsAgent configuration

V4 - SSRF in uploadViaURL

Location: packages/nocodb/src/services/attachments.service.ts
Affected lines: 287
Classification: CWE-918
Requirements: Upload permission

Description
The axios.head() call in uploadViaURL() lacks SSRF protection. While the subsequent fileCreateByUrl() has protection, the initial HEAD request executes without validation.

Impact

Blind SSRF via HEAD requests
Cloud credential theft from metadata endpoints
Internal network reconnaissance

Recommended Fix
Apply consistent SSRF protection to HEAD request using request-filtering-agent

V5 - Information Disclosure in Errors

Location: packages/nocodb/src/services/v3/data-attachment-v3.service.ts
Affected lines: 293-296
Classification: CWE-209
Requirements: Editor+ role

Description
Raw error objects are interpolated directly into API responses, exposing internal system information including absolute server paths, system usernames, operating system details, and internal ID structures.

Impact

Exposes absolute server paths
Reveals system usernames
Discloses operating system details
Shows internal ID structures
Leaks file system structure and upload paths

Recommended Fix
Return generic error messages to client while logging detailed errors server-side

Traditional Scan Findings Summary (Tier 1)

From 222 initial findings, Kolega.dev's noise reduction engine identified 14 valid items grouped into 5 rules after eliminating 208 false positives through context-aware filtering. These are defence-in-depth improvements and will have public PRs created.

Rule	Name	Findings	Severity	PR Link
#6	missing-user-entrypoint	1	High	Pull Request
#7	missing-user	1	High	Pull Request
#12	avoid-v-html	10	Medium	Pull Request
#19	wildcard-postmessage-configuration	1	Medium	Pull Request
#20	insufficient-postmessage-origin-validation	1	Medium	Pull Request