A critical zero-day vulnerability discovered in Salesforceβs default controller has exposed millions of user records across thousands of deployments worldwide.
The security flaw, found in the built-in aura://CsvDataImportResourceFamilyController/ACTION$getCsvAutoMap controller, allowed attackers to extract sensitive user information and document details through SOQL injection techniques.
SOQL Injection 0-Day Vulnerability -
The vulnerability was discovered while conducting automated fuzzing tests on Aura controllers present in Salesforce deployments.
A custom parser and fuzzer was developed to test hundreds of endpoints by mutating input parameters across the applicationβs app.js file, which conveniently defines controller descriptors and required arguments.
According to security researcher Tobia Righi, the breakthrough came when the fuzzer returned an unexpected error message revealing unsafe parameter handling: βMALFORMED_QUERY: \nContentVersion WHERE ContentDocumentId = ββ\n ERROR at Row:1:Column:239\nunexpected token: β'β.
This error indicated that the contentDocumentId parameter was being directly embedded into SOQL queries without proper sanitization, creating a pathway for injection attacks.
Despite SOQLβs inherent restrictions compared to traditional SQL injection vulnerabilities, the researcher successfully developed an exploitation technique using error-based blind injection methods.
The attack leveraged response discrepancies between valid and invalid queries to extract sensitive database information.
By crafting payloads such as 069TP00000HbJbNYAVβ AND OwnerId IN (SELECT Id FROM User WHERE Email LIKE βa%25β) AND ContentDocumentId != β, attackers could enumerate column contents from any object related to ContentDocument.
The technique exploited different server responses: successful subqueries returned βCannot invoke βcommon.udd.EntityInfo.getEntityId()β because βeiβ is nullβ, while unsuccessful ones returned βError in retrieving content documentβ.
The researcher enhanced the attack by incorporating Salesforce ID generation techniques, using existing scripts to generate thousands of valid contentDocumentId values starting with the prefix β069β.
This allowed systematic extraction of document names, descriptions, and user details from both public and private ContentDocument objects across the platform.
Patch Availability >>>
After reporting the vulnerability to an affected organization, the researcher learned that the vulnerable controller was actually part of Salesforceβs default installation, not custom code.
When subsequently reported to Salesforce in late February 2025, the company quietly patched the vulnerability without issuing a public advisory, CVE designation, or acknowledgment in release notes.
The vulnerabilityβs impact extends far beyond individual organizations, as the affected controller was present in all Salesforce deployments by default.
The silent patching approach, while resolving the immediate security risk, has left the security community without official guidance on detection methods or potential indicators of compromise from the vulnerabilityβs exploitation window.