NocoDB Security Assessment Report

Prepared by Kolega.dev
December 2024
Security Remediation Platform

Executive Summary

This security assessment was conducted using Kolega.dev's automated security remediation platform, which combines traditional security scanning (SAST, SCA, secrets detection) with proprietary AI-powered deep code analysis. Our two-tier detection approach identified vulnerabilities that standard tools miss, including complex logic flaws and cross-service injection vectors.

Our analysis of the NocoDB repository identified 5 vulnerabilities through Kolega.dev Deep Code Scan (Tier 2) and 14 findings through traditional SAST scanning (Tier 1) that warrant attention. Following responsible disclosure practices and after the SLA period expired without response, verified fixes for all critical and high severity vulnerabilities have been submitted as public pull requests. Fixes have been implemented by NocoDB on their own internal private branches.

Vulnerability Overview

IDTitleSeverityExploitableRequires
V1SQL Injection in Oracle ClientCriticalYesOrg Creator+ role
V2WebSocket Authentication BypassLow (OSS) / High (Enterprise)YesNone
V3SSRF in Attachment UploadHighYesEditor+ role
V4SSRF in uploadViaURLHighYesUpload permission
V5Information Disclosure in ErrorsMediumYesEditor+ role

Responsible Disclosure Timeline

Kolega.dev follows responsible disclosure practices. We attempted to coordinate privately through NocoDB's official security reporting channel before proceeding with public disclosure.
December 10, 2025
Initial responsible disclosure sent to security@nocodb.com
Full technical details, reproduction steps, and proposed fixes submitted through official security reporting channel.
December 16, 2025
Follow-up sent noting the approaching 7-day SLA
Reminder sent as published response timeframe was approaching without acknowledgment.
December 19, 2025
Public disclosure proceeding per responsible disclosure practices
After exceeding published SLA without acknowledgment, proceeding with public disclosure to ensure community protection.
December 19, 2025
Deep Scan vulnerability fixes submitted as public PRs
Five pull requests submitted with verified fixes for all Tier 2 vulnerabilities identified by Kolega.dev Deep Code Scan.

Submitted Pull Requests - Deep Scan Vulnerabilities (Tier 2)

Fixes Available: After the disclosure SLA period expired without response, Kolega.dev submitted verified fixes for all critical and high severity vulnerabilities as public pull requests. These PRs contain ready-to-deploy security fixes.
Vuln IDPR #TitleLink
V1#12748
fix(security): V1 - resolve SQL injection vulnerabilities in Oracle client
SQL Injection in Oracle Client
View PR
V2#12749
fix(security): V2 - properly validate WebSocket authentication in gateway middleware
WebSocket Authentication Bypass
View PR
V3#12750
fix(security): V3 - add SSRF protection to attachment URL upload
SSRF in Attachment Upload
View PR
V4#12751
fix(security): V4 - apply SSRF protection to axios.head() in uploadViaURL
SSRF in uploadViaURL
View PR
V5#12752
fix(security): V5 - sanitize error messages in base64 attachment processing
Information Disclosure in Errors
View PR

Critical Vulnerabilities Overview

V1CriticalCVSS: 9.1CWE-89
SQL Injection in Oracle Client
packages/nocodb/src/db/sql-client/lib/oracle/OracleClient.ts
Lines: 169, 325, 345, 399, 538, 563, 637, 683-685, 755, 808, 862, 909, 955, 995, 1035, 1081, 1123

Description

The Oracle database client concatenates user-controlled parameters directly into SQL queries without parameterization. This affects multiple operations including user existence checks, table enumeration, and schema introspection.

Impact

  • Execute arbitrary SQL commands on Oracle databases
  • Exfiltrate sensitive data
  • Escalate to DBA privileges
  • Achieve complete database compromise

Remediation

Replace string concatenation with parameterized queries using Oracle bind variables. Apply this pattern to all 17 affected lines using Knex built-in parameterization where available.

Requirements: Org Creator+ role
Detection: Kolega.dev Deep Code Scan
V2Low (OSS) / High (Enterprise)CVSS: 3.7 (OSS) / 8.2 (Enterprise)CWE-287
WebSocket Authentication Bypass
packages/nocodb/src/gateways/socket.gateway.ts
Lines: 52-59

Description

The WebSocket authentication middleware silently catches all errors and unconditionally allows connections, regardless of authentication status.

Impact

  • OSS: WebSocket only handles telemetry events, can pollute analytics data
  • EE: Real-time data sync implemented, attackers receive database updates
  • Session hijacking and data exfiltration possible in Enterprise
  • Allows connections with missing, invalid, or expired tokens

Remediation

Properly validate authentication status and reject unauthorized connections with proper error propagation

Requirements: None
Detection: Kolega.dev Deep Code Scan
V3HighCVSS: 8.6CWE-918
SSRF in Attachment Upload
packages/nocodb/src/services/v3/data-attachment-v3.service.ts
Lines: 373-379

Description

The downloadAndStoreAttachment function accepts user-supplied URLs without SSRF protection, allowing authenticated users to make arbitrary HTTP requests from the server.

Impact

  • Access cloud metadata endpoints (AWS/GCP/Azure credentials)
  • Scan internal network services
  • Reach internal APIs and databases
  • Potentially chain to RCE via vulnerable internal services

Remediation

Add request-filtering-agent protection using existing project dependency with httpAgent and httpsAgent configuration

Requirements: Editor+ role
Detection: Kolega.dev Deep Code Scan
V4HighCVSS: 8.6CWE-918
SSRF in uploadViaURL
packages/nocodb/src/services/attachments.service.ts
Lines: 287

Description

The axios.head() call in uploadViaURL() lacks SSRF protection. While the subsequent fileCreateByUrl() has protection, the initial HEAD request executes without validation.

Impact

  • Blind SSRF via HEAD requests
  • Cloud credential theft from metadata endpoints
  • Internal network reconnaissance

Remediation

Apply consistent SSRF protection to HEAD request using request-filtering-agent

Requirements: Upload permission
Detection: Kolega.dev Deep Code Scan
V5MediumCVSS: 4.3CWE-209
Information Disclosure in Errors
packages/nocodb/src/services/v3/data-attachment-v3.service.ts
Lines: 293-296

Description

Raw error objects are interpolated directly into API responses, exposing internal system information including absolute server paths, system usernames, operating system details, and internal ID structures.

Impact

  • Exposes absolute server paths
  • Reveals system usernames
  • Discloses operating system details
  • Shows internal ID structures
  • Leaks file system structure and upload paths

Remediation

Return generic error messages to client while logging detailed errors server-side

Requirements: Editor+ role
Detection: Kolega.dev Deep Code Scan

Traditional Scan Findings Summary (Tier 1)

From 222 initial findings, Kolega.dev's noise reduction engine identified 14 valid items grouped into 5 rules after eliminating 208 false positives through context-aware filtering. These are defence-in-depth improvements and will have public PRs created.
RuleNameFindingsSeverityPR Link
#6missing-user-entrypoint1HighPull Request
#7missing-user1HighPull Request
#12avoid-v-html10MediumPull Request
#19wildcard-postmessage-configuration1MediumPull Request
#20insufficient-postmessage-origin-validation1MediumPull Request

Simple 3 click setup.

Deploy Kolega.dev.

Find and fix your technical debt.