AIKIDO-2026-10143
@evershop/evershop is vulnerable to Improper Input Validation
78
High Risk
This Affects:
@evershop/evershopTL;DR
Affected versions of this package allow insecure URL rewrite handling where url_key validation was overly permissive and SQL queries were built via string interpolation, enabling malicious input to influence database operations. An attacker could craft specially formatted url_key values (including unexpected characters or long strings) to manipulate request_path replacements and, in the worst case, perform SQL injection during update or delete flows. By injecting controlled values into currentPath.request_path or path, an attacker could corrupt URL mappings, overwrite routes of other entities, or disrupt application routing integrity. The fix enforces strict URL key constraints and uses parameterized queries to eliminate injection vectors.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@evershop/evershop is vulnerable to Improper Input Validation in versions 0.1.0 - 2.1.0.
How to fix this
Upgrade the @evershop/evershop library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant