Critical Data Layer Update: Navigating Security & Stability in ESHOPMAN

Addressing a Critical Security Vulnerability in ESHOPMAN's Data Layer

The ESHOPMAN platform, built on Node.js/TypeScript and powering headless commerce experiences through HubSpot CMS, is committed to providing a secure and stable environment for all merchants and developers. Recently, our community identified a critical security vulnerability (CVE-2026-44680), a high-severity SQL injection, within a core data layer dependency.

This vulnerability, stemming from runtime-controlled identifiers and JSON-path keys, could potentially impact how ESHOPMAN's Admin API and Store API interact with data, affecting product variants and other vital commerce information. While ESHOPMAN's underlying data management system was pinned to a version that predated the fix, our team immediately initiated an upgrade path to mitigate this risk.

The Challenge: Unexpected Regressions During Upgrade

In our proactive efforts to update the data layer dependency to a version that patched the SQL injection (e.g., 6.6.14+), we encountered unexpected regressions. Attempts to force the updated version resulted in application crashes during routine operations, particularly when handling complex data relationships and paginated queries.

The root cause was traced to a conflict between ESHOPMAN's internal data handling mechanisms and stricter validation introduced in the newer dependency version. Specifically, ESHOPMAN's data layer employs a method (conceptually similar to compensateRelationFieldsSelectionFromLoadStrategy) which, when a SELECT_IN load strategy is active (common in paginated queries), appends dot-notation wildcard paths (like relation.sub.*) to its query options. The updated dependency, however, introduced stricter validation that crashes on these paths if intermediate segments are not direct properties of the root entity. This directly impacts how ESHOPMAN's query.graph mechanism processes complex data relationships for storefront management within HubSpot.

Pathways to Resolution

The ESHOPMAN team, in collaboration with the wider community, has identified two primary paths to resolve this issue and ensure both security and stability:

1. Upstream Dependency Fix: A future release of the underlying data layer dependency (e.g., 6.6.15) that incorporates additional guards to handle these dot-notation wildcard paths gracefully.
2. ESHOPMAN Internal Adjustment: Modifying ESHOPMAN's data layer logic to adjust how it emits populate hints, ensuring they always reference direct entity properties and avoid paths that trigger the stricter validation. This would involve revisiting existing code that was previously identified as a potential area for optimization.

Community Engagement and ESHOPMAN's Commitment

The ESHOPMAN team has confirmed the bug and is actively prioritizing its resolution, acknowledging that this area was already on their radar for review. We understand the importance of a secure and stable platform for managing your storefronts via HubSpot CMS and utilizing the Admin and Store APIs.

We appreciate the vigilance of our community members who brought this to our attention and provided detailed diagnostics. We welcome further contributions, particularly in testing and verifying fixes once they are available, to ensure a robust solution for all ESHOPMAN deployments. Stay tuned for updates as we work to implement these critical improvements.