Summary An authenticated user with "columnAdd" permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional "direction" argument of "ARRAYSORT(...)". The value is unrestricted by formula validation and embedded into a "knex.raw" "ORDER BY" clause, executing during column creation and on every subsequent record read of the formula column. Details The vulnerability is specific to the Postgres mapping for "ARRAYSORT" in "packages/nocodb/src/db/functionMappings/pg.ts". Two factors combine: 1. "ARRAYSORT" declares only argument count, not "validation.args.type", so "validate-extract-tree.ts" does not enforce an allowlist on the second argument. 2. The Postgres mapping then passes the attacker-controlled value through "sanitize(knex.raw(...))" into a raw SQL fragment: const direction = pt.arguments[1] ? sanitize( knex.raw(pt.arguments[1]?.value ?? (await fn(pt.arguments[1])).builder), ) : knex.raw('asc'); return { builder: knex.raw("ARRAY(SELECT UNNEST(??) ORDER BY 1 ??)", [source, direction]), }; "sanitize()" in "sqlSanitize.ts" only escapes "?" placeholder characters; it does not validate SQL syntax. A payload such as ""desc, (SELECT COUNT(*) FROM generate_series(1,30000000))"" is accepted, persisted, and re-executed on every read of the formula column. Impact - Authenticated SQL injection against Postgres-backed bases. - Requires "columnAdd" permission (creator/owner-level). - Proven impact: attacker-controlled heavy SQL causing multi-second query stalls (DoS). - Potentially extendable to broader SQL injection outcomes depending on database permissions and deployment hardening. - Limited to Postgres backends. Credit This issue was reported by "@leduckhuong" (https://github.com/leduckhuong).