CVE-2024-24213 is a critical SQL injection vulnerability reported in the Supabase dashboard product, not the core Supabase PostgreSQL database itself. The vulnerability resides in the /pg_meta/default/query endpoint, which is designed to allow authorized users to execute SQL queries through the dashboard UI. The vendor clarifies that this is an intended feature, and no external injection occurs since only authorized users can input queries. However, the vulnerability is classified as CWE-89 (SQL Injection) because if an attacker gains unauthorized access to this component, they could execute arbitrary SQL commands remotely without authentication or user interaction. The CVSS 3.1 score of 9.8 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation (network vector, no privileges or user interaction required). No patches or fixes have been published yet, and no known exploits are reported in the wild. This vulnerability highlights the risk of relying on dashboard features that allow direct query execution without additional safeguards. Organizations using Supabase dashboards with PostgreSQL v15.1 should evaluate their access controls and monitoring to prevent unauthorized exploitation.

If exploited, this vulnerability could allow attackers to execute arbitrary SQL commands on the underlying PostgreSQL database via the Supabase dashboard, leading to full compromise of data confidentiality, integrity, and availability. Attackers could exfiltrate sensitive data, modify or delete records, or disrupt database operations. Given the lack of required authentication or user interaction for exploitation, the attack surface is broad, especially if dashboard access controls are weak or compromised. This could result in significant data breaches, operational downtime, and reputational damage for organizations relying on Supabase dashboards for database management. The critical CVSS score indicates that the vulnerability poses a severe risk to organizations worldwide, particularly those with cloud-hosted PostgreSQL instances managed through Supabase dashboards.

1. Immediately restrict access to the Supabase dashboard to trusted and authenticated users only, employing strong multi-factor authentication (MFA) and role-based access controls (RBAC). 2. Monitor and audit all SQL queries executed via the /pg_meta/default/query endpoint to detect anomalous or unauthorized activity. 3. Implement network-level restrictions such as IP whitelisting and VPN access to limit dashboard exposure. 4. Consider disabling or limiting the use of the /pg_meta/default/query feature if it is not essential for business operations. 5. Stay updated with Supabase vendor communications for any forthcoming patches or security advisories addressing this issue. 6. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection attempts targeting the dashboard. 7. Conduct regular security assessments and penetration testing focused on dashboard access and query execution features. 8. Educate administrators and users about the risks of executing arbitrary SQL queries and enforce strict operational procedures.