## Critical SQL Injection Vulnerability Exposed in DEMS Project's saveInDataModelTable Function
A critical SQL injection vulnerability has been identified within the DEMS project's codebase, exposing a direct path for potential data manipulation or exfiltration. The flaw resides in the `saveInDataModelTable` function within the `src/builders/eventHistoryBuilder.ts` file. The function dangerously uses unsafe string interpolation (`INSERT INTO ${tableName}`) to construct SQL queries, allowing an attacker to inject arbitrary SQL commands through the `tableName` parameter. This vulnerability was introduced in the `feat-paysys-DME` branch, creating a significant security regression.

The vulnerability is particularly alarming because it violates core defense-in-depth security principles. While a comment in the code suggests the table name is "validated at DEMS level," this single point of trust is insufficient. The unsafe practice directly concatenates user or system input into the query string before execution, bypassing the safety of parameterized queries for the other values. This creates a clear and exploitable attack vector where a malicious actor could alter the query's logic, access unauthorized data, or perform destructive operations on the database.

The discovery places immediate pressure on the development and security teams responsible for the DEMS project. It signals a potential breakdown in secure coding practices and code review processes for a critical data-handling component. The presence of such a severe vulnerability in a function designed to save data models raises urgent questions about the integrity of the broader codebase and necessitates a comprehensive audit of similar patterns. Remediation requires immediate action to replace the unsafe interpolation with proper parameterization or rigorous, context-aware validation before the vulnerable code reaches a production environment.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: SQL Injection, Code Vulnerability, Data Security, Software Development, DEMS
- **Credibility**: unverified
- **Published**: 2026-03-28 06:26:53
- **ID**: 38799
- **URL**: https://whisperx.ai/en/intel/38799