Description
Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection, unfiltered queries to the public.audit_logs endpoint using the public anon key consistently trigger statement timeouts (PostgREST error 57014). Under concurrency, this exhausts database resources and causes cascading HTTP 500 failures on unrelated endpoints (e.g. /orgs), resulting in an application-layer denial of service.
Problem types
Uncontrolled Resource Consumption
Product status
Any version before 12.128.12
12.128.12 (semver)
Credits
Judel777
References
github.com/.../capgo/security/advisories/GHSA-5vgv-rqj5-5748
github.com/.../capgo/security/advisories/GHSA-5vgv-rqj5-5748 (GitHub Security Advisory (GHSA-5vgv-rqj5-5748))
www.vulncheck.com/...al-of-service-via-audit-logs-rls-policy (VulnCheck Advisory: Capgo - Unauthenticated Denial-of-Service via audit_logs RLS Policy)