CVE-2026-3992 Overview
CVE-2026-3992 is an injection vulnerability [CWE-74] in CodeGenieApp serverless-express versions up to 4.17.1. The flaw resides in the utils/dynamodb.ts file within the Users Endpoint component. Attackers can manipulate the filter argument to inject malicious input processed by the application. The attack is remotely exploitable and requires only low privileges. A public exploit has been released, increasing the likelihood of opportunistic abuse. The vendor was contacted before disclosure but did not respond.
Critical Impact
Remote attackers with low privileges can inject crafted input through the filter argument in the Users Endpoint, affecting confidentiality, integrity, and availability of data handled by the DynamoDB query layer.
Affected Products
- CodeGenieApp serverless-express versions up to and including 4.17.1
- Applications built on top of serverless-express that expose the Users Endpoint
- Deployments using utils/dynamodb.ts with user-controlled filter input
Discovery Timeline
- 2026-03-12 - CVE-2026-3992 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-3992
Vulnerability Analysis
The vulnerability is classified as Improper Neutralization of Special Elements in Output Used by a Downstream Component [CWE-74]. The affected code path is in utils/dynamodb.ts, which constructs DynamoDB query expressions using the filter argument supplied through the Users Endpoint. Because the argument is not sanitized or parameterized correctly, attacker-controlled values are passed into downstream query logic. This permits injection of expression fragments that alter the intended query semantics. An authenticated attacker with low privileges can issue crafted HTTP requests over the network and influence query behavior without user interaction. The result is unauthorized read, modification, or disruption of records accessible through the Users Endpoint.
Root Cause
The root cause is the direct incorporation of unsanitized user input from the filter parameter into DynamoDB expression construction within utils/dynamodb.ts. The code does not enforce strict typing, allowlisting, or proper use of ExpressionAttributeValues and ExpressionAttributeNames placeholders. As a consequence, attacker-supplied operators and attribute references are interpreted as part of the query expression.
Attack Vector
The attack vector is network-based and requires low privileges on the target application. An attacker sends an HTTP request to the Users Endpoint with a manipulated filter value. The crafted payload alters the DynamoDB filter expression evaluated server-side. Public exploit information is available through the GitHub Issue Report, and additional details are tracked in VulDB #350474. No verified proof-of-concept code is reproduced here; refer to the linked references for technical specifics.
Detection Methods for CVE-2026-3992
Indicators of Compromise
- HTTP requests to the Users Endpoint containing DynamoDB operator strings such as begins_with, contains, or attribute_exists inside the filter parameter
- Unexpected DynamoDB Scan or Query operations with anomalous FilterExpression content in CloudTrail logs
- Application error traces originating from utils/dynamodb.ts correlated with malformed filter input
- Repeated authenticated requests probing the Users Endpoint with varying filter payloads from a single client
Detection Strategies
- Inspect API gateway and application logs for filter parameter values containing reserved DynamoDB expression tokens or boolean operators
- Correlate authenticated session activity with DynamoDB query patterns that deviate from established baselines
- Deploy WAF rules that flag DynamoDB expression syntax in JSON request bodies submitted to the Users Endpoint
- Review code for invocations of utils/dynamodb.ts that pass raw client input into filter construction
Monitoring Recommendations
- Enable detailed CloudTrail data events for the DynamoDB tables backing the Users Endpoint
- Alert on spikes in Scan operations or filter expressions exceeding expected length or complexity
- Track failed authorization checks and anomalous response sizes from the Users Endpoint
How to Mitigate CVE-2026-3992
Immediate Actions Required
- Audit any deployment using CodeGenieApp serverless-express 4.17.1 or earlier and inventory exposed instances of the Users Endpoint
- Restrict network access to the Users Endpoint using authentication, IP allowlists, or API gateway throttling until a fix is applied
- Apply server-side input validation that rejects filter values containing DynamoDB expression syntax
- Review DynamoDB IAM policies to enforce least privilege on the application's execution role
Patch Information
No vendor patch has been published. The vendor was contacted before disclosure but did not respond. Track the VulDB CTI entry #350474 and the upstream GitHub Issue Report for any future fix announcements.
Workarounds
- Rewrite utils/dynamodb.ts filter handling to use ExpressionAttributeValues and ExpressionAttributeNames placeholders instead of string concatenation
- Implement an allowlist of permitted filter fields and operators before constructing the DynamoDB expression
- Wrap the Users Endpoint behind an authorization layer that validates request schemas and rejects unexpected filter structures
- Deploy a WAF rule that blocks request bodies containing DynamoDB reserved expression tokens in the filter field
# Example WAF rule snippet to block DynamoDB expression syntax in filter parameter
# (adapt to your WAF vendor)
SecRule ARGS:filter "@rx (begins_with|contains|attribute_exists|attribute_not_exists|<>|<=|>=)" \
"id:1002601,phase:2,deny,status:400,log,msg:'Potential CVE-2026-3992 DynamoDB filter injection'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
