CRITICALCVE-2024-24811CVSS 9.8

CVE-2024-24811: SQL Injection in SQLAlchemyDA

Q: What is CVE-2024-24811 — SQL Injection in SQLAlchemyDA?

CVE-2024-24811 is a critical SQL Injection vulnerability in SQLAlchemyDA versions prior to 2.2, allowing attackers to execute arbitrary SQL commands without authentication.

Q: Am I affected by CVE-2024-24811 in SQLAlchemyDA?

Yes, if you are using SQLAlchemyDA version 2.2 or earlier, you are affected by this vulnerability. Upgrade immediately.

Q: How do I fix CVE-2024-24811 in SQLAlchemyDA?

Upgrade to SQLAlchemyDA version 2.2 or later. There is no workaround for this vulnerability.

Q: Is CVE-2024-24811 being actively exploited?

Currently, there are no known public exploits or active campaigns targeting this vulnerability, but its critical severity warrants immediate attention.

Q: Where can I find the official SQLAlchemyDA advisory for CVE-2024-24811?

Refer to the SQLAlchemyDA project's official documentation and release notes for the latest information and security advisories: https://github.com/sdispirit/sqlalchemy_utils

Platform

python

Component

products.sqlalchemyda

Fixed in

2.2.1

AI Confidence: highNVDEPSS 0.8%Reviewed: May 2026

View on NVD

Save

CVE-2024-24811 is a critical SQL Injection vulnerability affecting SQLAlchemyDA versions prior to 2.2. This flaw allows an attacker to execute arbitrary SQL statements against the connected database without authentication. All users of affected versions are vulnerable, and a patch is available in version 2.2.

Impact and Attack Scenarios

The impact of this vulnerability is severe. An attacker can leverage SQL Injection to bypass authentication and authorization controls, gaining unauthorized access to sensitive data stored within the database. This could include user credentials, financial information, or other confidential data. Depending on the database schema and permissions, an attacker might also be able to modify or delete data, or even execute operating system commands on the database server. The lack of authentication required to exploit this vulnerability significantly broadens the attack surface.

Exploitation Context

This vulnerability was publicly disclosed on February 7, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 9.8 indicates a critical severity, suggesting a high potential for exploitation if left unaddressed. Monitor security advisories and threat intelligence feeds for any updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.85% (75% percentile)

CVSS Vector

Affected Software

Componentproducts.sqlalchemyda

Vendorzopefoundation

Affected rangeFixed in

< 2.2 – < 2.22.2.1

Weakness Classification (CWE)

CWE-89

Timeline

Reserved2024-01-31
Published2024-02-07
Modified2025-05-15
EPSS updated2026-04-02

Patched 1 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2024-24811 is to immediately upgrade to SQLAlchemyDA version 2.2 or later. Since there is no workaround, relying on other security measures is insufficient. Consider implementing strict database access controls and limiting database user privileges to minimize potential damage if the vulnerability is exploited before patching. Regularly review database activity logs for suspicious queries.

How to fix

Update the Products.SQLAlchemyDA library to version 2.2 or higher. This version contains the security fix that prevents the execution of unauthenticated arbitrary SQL queries. To update, use the Python package manager (pip) or the installation method corresponding to your environment.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-24811 — SQL Injection in SQLAlchemyDA?

CVE-2024-24811 is a critical SQL Injection vulnerability in SQLAlchemyDA versions prior to 2.2, allowing attackers to execute arbitrary SQL commands without authentication.

Am I affected by CVE-2024-24811 in SQLAlchemyDA?

Yes, if you are using SQLAlchemyDA version 2.2 or earlier, you are affected by this vulnerability. Upgrade immediately.

How do I fix CVE-2024-24811 in SQLAlchemyDA?

Upgrade to SQLAlchemyDA version 2.2 or later. There is no workaround for this vulnerability.

Is CVE-2024-24811 being actively exploited?

Currently, there are no known public exploits or active campaigns targeting this vulnerability, but its critical severity warrants immediate attention.

Where can I find the official SQLAlchemyDA advisory for CVE-2024-24811?

Refer to the SQLAlchemyDA project's official documentation and release notes for the latest information and security advisories: https://github.com/sdispirit/sqlalchemy_utils

NextGuard

Vulnerabilities

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Upload requirements.txtSupported formats: requirements.txt · Pipfile.lock