ElectricSQL database takeover vulnerability found by AI
casco.comRene from Casco here. While our agents were performing a security test, they discovered a database takeover vulnerability. It's a good example of how SQL injection is still a test path that needs to be explicitly be validated. Really want to give props to the ElectricSQL team from issue reported to issue fixed and deployed, it took ~2 hours.
Thanks from the Electric side to the Casco team for the responsible disclosure, comprehensive repro and great communication through the process.
This was a critical one to identify and patch: https://github.com/electric-sql/electric/security/advisories...
Just to repeat for visibility, if you're self-hosting the Electric sync service, upgrade to version >= 1.5.0 immediately.