In June 2025, a security researcher uncovered a critical SOQL (Salesforce Object Query Language) injection vulnerability in a default Salesforce Aura controller, affecting potentially thousands of deployments and millions of user records.
The discovery highlights the risks of dynamic query construction and the importance of secure coding practices in enterprise cloud platforms.
The researcher began by fuzzing Aura controllers—endpoints defined in Salesforce’s app.js file—using a custom parser and fuzzer to test various input mutations.
This approach quickly revealed a vulnerability in the built-in controller aura://CsvDataImportResourceFamilyController/ACTION$getCsvAutoMap.
This controller, present in all Salesforce deployments, accepted a contentDocumentId parameter that was unsafely embedded into a dynamic SOQL query, making it susceptible to injection attacks.
The vulnerability was spotted due to a specific error message:
json{
"exceptionEvent": true,
"useDefault": false,
"event": {
"descriptor": "markup://aura:serverActionError",
"attributes": {
"values": {
"error": {
"message": "industries.impl.dataUtils.IndustriesDirectSoapUtil$DirectSoapException: MALFORMED_QUERY: \nContentVersion WHERE ContentDocumentId = '''\n ^\nERROR at Row:1:Column:239\nunexpected token: '''",
"stackTrace": "",
"data": {
"message": "industries.impl.dataUtils.IndustriesDirectSoapUtil$DirectSoapException: MALFORMED_QUERY: \nContentVersion WHERE ContentDocumentId = '''\n ^\nERROR at Row:1:Column:239\nunexpected token: '''",
"statusCode": 400,
"errorCode": "INTERNAL_ERROR"
},
"id": "-380442143"
}
}
}
}
}
This error indicated that user-supplied input was being directly inserted into a SOQL query, a classic sign of injection risk.
SOQL, while similar to SQL, imposes several limitations that make exploitation more challenging: no UNION-based attacks, limited subqueries, and strict constraints on joins and multi-query operations.
However, the researcher leveraged a response discrepancy technique—akin to error-based blind SQL injection—to infer data from the database.
For example, by sending a crafted contentDocumentId such as:
text069TP00000HbJbNYAV' AND OwnerId IN (SELECT Id FROM User WHERE Email LIKE 'a%25') AND ContentDocumentId != '
The researcher could determine whether a subquery matched by observing the response.
If the subquery was successful, a valid document was returned; otherwise, an error was generated.
This allowed for the systematic extraction of sensitive user and document information, even without direct access to other tables.
Additionally, by using scripts to generate valid contentDocumentId values—exploiting the predictable nature of Salesforce IDs—the researcher could brute-force and enumerate document details, including owner information, across the entire deployment.
The vulnerability could have enabled attackers to extract sensitive data, such as user emails, names, addresses, and even password hashes, depending on the configuration.
The researcher reported the issue to Salesforce, which quietly patched the vulnerability without issuing an advisory or CVE, a practice sometimes adopted by large vendors to avoid drawing attention to security flaws.
To prevent SOQL injection, Salesforce and the broader Apex developer community recommend using static queries with binding variables instead of dynamic query construction.
For example, the following Apex code is vulnerable:
textString qryString = 'SELECT Id FROM Contact WHERE (IsDeleted = false and Name like \'%' + name + '%\')';
List<Contact> queryResult = Database.query(qryString);
Instead, developers should use:
textString qryString = 'SELECT Id FROM Contact WHERE IsDeleted = false and Name LIKE :name';
List<Contact> queryResult = Database.queryWithBinds(qryString, new Map<String,Object>{'name' => '%' + name + '%'});
This approach ensures that user input is not directly inserted into the query string, mitigating injection risks.
| Technique | Description | Prevention Method |
|---|---|---|
| Dynamic SOQL | Query built as string with user input | Use static queries with binds |
| Error-based Injection | Exploit error messages to infer data | Validate and sanitize input |
| ID Brute-forcing | Generate predictable object IDs to access data | Implement rate limiting, logging |
The incident underscores the importance of secure coding practices, input validation, and the need for ongoing security research in enterprise cloud environments.
Developers are urged to review their code for dynamic SOQL and adopt secure alternatives to protect sensitive data from exploitation.
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
Kali Linux, the preferred distribution for security professionals, has launched its second major release of…
Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced the…
The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help organizations…
A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been patched,…
A newly disclosed spoofing vulnerability (CVE-2025-26685) in Microsoft Defender for Identity (MDI) enables unauthenticated attackers…
A critical vulnerability (CVE-2025-6031) has been identified in Amazon Cloud Cam devices, which reached end-of-life…