Marten has an injection vulnerability in its full-text search regConfig parameter

Description

Summary

Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink.

Affected APIs

  • IQuerySession.SearchAsync<T>(string searchTerm, string regConfig, ...)
  • IQuerySession.PlainTextSearchAsync<T>(...)
  • IQuerySession.PhraseSearchAsync<T>(...)
  • IQuerySession.WebStyleSearchAsync<T>(...)
  • IQuerySession.PrefixSearchAsync<T>(...)
  • IQueryable<T>.Where(x => x.Search(term, regConfig)) and the matching PlainTextSearch / PhraseSearch / WebStyleSearch / PrefixSearch extension methods

Details

In the affected versions, FullTextWhereFragment renders the WHERE-clause SQL by string interpolation:

private string Sql =>
    $"to_tsvector('{_regConfig}'::regconfig, {_dataConfig}) @@ {_searchFunction}('{_regConfig}'::regconfig, ?)";

_regConfig arrives unchanged from the public API surface above. Any value containing a single quote terminates the SQL literal and lets an attacker append arbitrary PostgreSQL.

Confirmed exploit shapes (with regConfig set to attacker-controlled input)

Goal Payload
Time-based blind english'::text); SELECT pg_sleep(5); --
Information disclosure english'; SELECT version(); --
DDL execution english'; DROP TABLE mt_doc_article; --

All five overloads listed above produced SQL containing the verbatim payload.

Impact

  • Confidentiality: an attacker can append arbitrary SELECT statements and exfiltrate database contents through error channels, response timing, or — if the application surfaces query results — directly.
  • Integrity / Availability: DDL, UPDATE, DELETE, and pg_sleep-style denial-of-service payloads succeed under the same vector. Concrete impact depends on the database role used by the Marten connection string.
  • Precondition: the calling application must forward attacker-controlled input into the regConfig parameter (e.g. a ?lang= query string mapped to regConfig). Applications that hard-code regConfig to a compile-time constant are not exploitable.

Patches

Fixed in Marten 8.36.1 (and forward) by #4343.

FullTextWhereFragment now validates regConfig against ^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*)?$ (a simple PostgreSQL identifier, optionally schema-qualified, capped at NAMEDATALEN-1 per side) and throws ArgumentException for anything else. The default value ("english"), schema-qualified configs ("pg_catalog.english"), and the standard PostgreSQL text-search configurations all continue to work.

Workarounds

If users cannot upgrade immediately, do one of the following at the application boundary:

  1. Hard-code regConfig to a compile-time constant ("english", "simple", …) and never accept it from request input.
  2. Validate any externally-sourced regConfig value before passing it to Marten — e.g. against the same regex as the patch (^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*)?$) or against an allowlist of PostgreSQL configurations the application actually uses.
  3. Drop the regConfig argument from the call site so Marten falls back to the safe default.

Resources

Credit

Reported privately to the JasperFx team with a working proof of concept covering all five affected overloads.

Basic information

Type
reviewed
Severity
critical
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-14 20:46:26 UTC
Updated
2026-06-09 10:24:30 UTC
GitHub reviewed
2026-05-14 20:46:26 UTC
NVD published
2026-05-28

EPSS Score

Score Percentile
0.04% 11.66%

CVSS Scores

Base score Version Severity Vector
9.8 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

CWEs

CWE id Name
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
nuget Marten <= 8.36 8.37.0

References

cvelogic Threat Intelligence