🚨 Critical SQL injection in Chef Automate (CVE-2025-8868) If you're running Chef for infrastructure automation, patch immediately to version 4.13.295 or later. Full technical breakdown: xbow.com/blog/cooking-an-sql… What XBOW found 🧵

XBOW - Cooking an SQL Injection Vulnerability in Chef Automate

How a little-known default token provided the entry point for XBOW to uncover a critical SQL injection in an unexpected API parameter.

xbow.com
1
6
1
21
The vulnerability allows authenticated attackers to execute arbitrary SQL commands against the PostgreSQL database through the compliance profiles search endpoint at /api/v0/compliance/profiles/search. Potential impact: compromised data access.
1
1
How XBOW found it: XBOW's autonomous testing identified SQL injection through the type field in the filters array using PostgreSQL's string concatenation operator. The application uses pq driver, and error messages revealed the injection point.
1
What makes this interesting from a testing perspective: XBOW also discovered a default authentication token (93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506) that provided access to previously protected endpoints. This token exists in some GitHub repos but isn't widely known.

Sep 30, 2025 · 2:11 PM UTC

2
1
The discovery path: Found during testing on a HackerOne program, then realized it affected the upstream open-source Chef Automate project. We immediately disclosed to Progress (Chef's parent company), who responded quickly with a fix.
1
1
Action required now: Upgrade to Chef Automate 4.13.295 or later immediately. CVE: cve.org/CVERecord?id=CVE-202… This is autonomous security testing in practice - finding and responsibly disclosing critical vulnerabilities before they're exploited at scale
1
Replying to @Xbow
How can I contact you? I need to hack into a system.
Load more