SCA: security update for @nozbe/watermelondb (GHSA-38f9-m297-6q9g)

medium Tenable Cloud Security Plugin ID 423531

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously
crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the
app to delete all or selected records from the database, generally causing the app to become unusable.
This may happen in apps that don't validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon
Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the
fact that maliciously deleted records won't synchronize, so logout-login will restore all data, although
some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to
push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL
Injection is mitigated, because it's not possible to nest an insert/update query inside a delete query in
SQLite, and it's not possible to pass a semicolon-separated second query. There's also no known
practicable way to breach confidentiality by selectively deleting records, because those records will not
be synchronized. It's theoretically possible that selective record deletion could cause an app to behave
insecurely if lack of a record is used to make security decisions by the app. This is patched in versions
0.15.1, 0.16.2, and 0.16.1-fix (CVE-2020-4035)

See Also

https://github.com/advisories/GHSA-38f9-m297-6q9g

Plugin Details

Severity: Medium

ID: 423531

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 3/29/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 51.63

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS Score Source: CVE-2020-4035

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/3/2020

Vulnerability Publication Date: 6/3/2020

Reference Information

CVE: CVE-2020-4035

cwe: CWE-89