CVE-2026-31825 Overview
Sylius, an Open Source eCommerce Framework built on Symfony, contains a DQL (Doctrine Query Language) injection vulnerability in its API filters. The ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter components pass user-supplied order direction values directly to Doctrine's orderBy() method without proper validation. This improper input handling allows an attacker to inject arbitrary DQL statements, potentially leading to unauthorized data access.
Critical Impact
Unauthenticated attackers can exploit this DQL injection vulnerability to extract sensitive information from the application database by manipulating API filter parameters.
Affected Products
- Sylius versions prior to 1.9.12
- Sylius versions 1.10.x prior to 1.10.16
- Sylius versions 1.11.x prior to 1.11.17
- Sylius versions 1.12.x prior to 1.12.23
- Sylius versions 1.13.x prior to 1.13.15
- Sylius versions 1.14.x prior to 1.14.18
- Sylius versions 2.0.x prior to 2.0.16
- Sylius versions 2.1.x prior to 2.1.12
- Sylius versions 2.2.x prior to 2.2.3
Discovery Timeline
- 2026-03-10 - CVE-2026-31825 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-31825
Vulnerability Analysis
This vulnerability is classified as CWE-89 (SQL Injection), specifically manifesting as a DQL injection issue within the Sylius API filtering mechanism. The vulnerability exists because the API filters do not validate or sanitize the order direction parameter before passing it to Doctrine's query builder.
In typical API usage, the orderBy() method expects predefined direction values such as ASC or DESC. However, the vulnerable filters accept arbitrary user input for this parameter, allowing attackers to break out of the intended query structure and inject malicious DQL statements. This can be exploited remotely without any authentication, though the impact is limited to information disclosure rather than data modification.
Root Cause
The root cause is improper input validation in the ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter classes. These filters fail to implement a whitelist approach for the order direction parameter, which should only accept ASC or DESC values. Instead, the user-supplied value is passed directly to Doctrine's orderBy() method, creating an injection point.
Attack Vector
The attack can be performed over the network without authentication. An attacker crafts malicious API requests with specially crafted order direction parameters. By manipulating the filter parameters in API calls to product listing endpoints, attackers can inject DQL fragments that alter the query behavior. This enables extraction of sensitive information from the database, including data from tables that should not be accessible through the normal API response.
The vulnerability mechanism involves passing malicious DQL syntax through API filter parameters. When the application processes these parameters, the injected DQL is executed as part of the database query. For detailed technical analysis, see the GitHub Security Advisory.
Detection Methods for CVE-2026-31825
Indicators of Compromise
- Unusual API requests to product listing endpoints with malformed or suspicious order parameters
- Database query logs showing unexpected DQL syntax or subqueries in ORDER BY clauses
- API error responses indicating DQL parsing errors or syntax exceptions
- Anomalous data access patterns from web application processes
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block SQL/DQL injection patterns in API parameters
- Monitor application logs for Doctrine ORM exceptions or query builder errors
- Deploy API request logging with pattern analysis to identify injection attempts in filter parameters
- Configure intrusion detection systems to alert on unusual query patterns from the Sylius application
Monitoring Recommendations
- Enable verbose logging for all Sylius API filter operations to capture suspicious parameter values
- Set up alerting for failed database queries originating from API endpoints
- Monitor for increased API traffic to product listing endpoints that may indicate reconnaissance or exploitation attempts
- Review database audit logs for queries containing unexpected ORDER BY patterns
How to Mitigate CVE-2026-31825
Immediate Actions Required
- Update Sylius to the latest patched version for your release branch immediately
- Review API access logs for potential exploitation attempts prior to patching
- Implement WAF rules to block requests containing suspicious characters in order direction parameters
- Consider temporarily disabling the affected API filters if immediate patching is not possible
Patch Information
Sylius has released security patches across all supported version branches. Upgrade to one of the following fixed versions:
| Version Branch | Fixed Version |
|---|---|
| 1.9.x | 1.9.12 |
| 1.10.x | 1.10.16 |
| 1.11.x | 1.11.17 |
| 1.12.x | 1.12.23 |
| 1.13.x | 1.13.15 |
| 1.14.x | 1.14.18 |
| 2.0.x | 2.0.16 |
| 2.1.x | 2.1.12 |
| 2.2.x | 2.2.3 |
For complete patch details, refer to the GitHub Security Advisory.
Workarounds
- Implement a custom API filter decorator that validates order direction parameters against a strict whitelist (ASC, DESC)
- Deploy a reverse proxy or WAF rule to sanitize or reject requests with non-standard order direction values
- Disable the ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter in API Platform configuration until patching is completed
- Implement network-level restrictions to limit API access to trusted sources
# Example: Disable vulnerable filters in Sylius API Platform configuration
# In config/packages/api_platform.yaml, remove or comment out the affected filters:
# api_platform:
# collection:
# order_parameter_name: order
# Review and restrict filter configurations until patch is applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
