GHSA-wm25-j4gw-6vr3: 
vulnerability analysis and mitigation

A critical security vulnerability (GHSA-wm25-j4gw-6vr3) was discovered in pREST affecting versions prior to 1.5.4. The vulnerability, identified on July 30, 2024, combines JWT bypass and SQL injection vulnerabilities, allowing unauthorized access to sensitive data. The issue affects the github.com/prest/prest Go module and received a Critical severity rating with a CVSS score of 9.3 (GitHub Advisory).

The vulnerability stems from improper JWT token validation and SQL injection in the authentication mechanism. The issue allows attackers to bypass authentication and execute unauthorized SQL queries through malformed URL paths. The vulnerability received a CVSS v4 base score of 9.3, with metrics indicating Network attack vector, Low attack complexity, and No privileges required. The weakness is categorized under CWE-89 (SQL Injection) and CWE-287 (Improper Authentication) (GitHub Advisory).

The vulnerability allows attackers to bypass authentication controls and execute unauthorized SQL queries, potentially leading to unauthorized access to sensitive data. The CVSS metrics indicate High impact on Confidentiality, Integrity, and Availability of the vulnerable system (GitHub Advisory).

The vulnerability has been patched in version 1.5.4 of pREST. The fix includes updating the JWT regex pattern in the configuration to properly validate authentication tokens (Prest Commit).