fix: correct GHSA-887w-45rq-vxgf sqlalchemy fixed version 1.2.18 -> 1.3.0b1#7486
Open
DEVSOG12 wants to merge 1 commit intogithub:DEVSOG12/advisory-improvement-7486from
Open
Conversation
….3.0b1 (no 1.2.x backport)
github-actions
Bot
changed the base branch from
main
to
DEVSOG12/advisory-improvement-7486
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the OSV advisory for GHSA-887w-45rq-vxgf / CVE-2019-7164 to reflect that the SQL injection fix was not actually present in the SQLAlchemy 1.2.x line, adjusting the “fixed” version boundary and clarifying the advisory text accordingly.
Changes:
- Updates the advisory
detailsto explain the missing backport and required upgrade path. - Adjusts the PyPI ECOSYSTEM range “fixed” version for the 1.2.x line.
- Bumps the advisory
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "schema_version": "1.4.0", | ||
| "id": "GHSA-887w-45rq-vxgf", | ||
| "modified": "2024-10-28T14:20:14Z", | ||
| "modified": "2026-04-22T00:00:00Z", |
Comment on lines
51
to
55
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.2.18" | ||
| "fixed": "1.3.0b1" | ||
| } |
| ], | ||
| "summary": "SQLAlchemy vulnerable to SQL Injection via order_by parameter", | ||
| "details": "SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.", | ||
| "details": "SQLAlchemy through 1.2.18 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. The fix (commit 30307c4) was never backported to the 1.2.x release branch; users on 1.2.x must upgrade to 1.3.0b3 or later.", |
CaselIT
approved these changes
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
git merge-base --is-ancestor 30307c4616ad67c01ddae2e1e8e34fabf6028414 rel_1_2_18returns false — the fix commit was never backported to the 1.2.x release branch. The PyPI artifact for SQLAlchemy 1.2.18 shipslib/sqlalchemy/sql/compiler.pybyte-identical to the pre-fix state. The entire 1.2.x series remains vulnerable.The fix only exists on the main branch starting at 1.3.0b3. The 1.3.0b1-1.3.0b2 range (already correctly marked as affected) is unchanged.
Change: second ECOSYSTEM range
fixed: "1.2.18"->fixed: "1.3.0b1", meaning users on any 1.2.x version must upgrade to 1.3.x to get the fix. Updated details text to reflect this.Opened on behalf of the SQLAlchemy maintainers (@CaselIT, @zzzeek) per sqlalchemy/sqlalchemy#13252 (comment)