A critical SQL injection vulnerability in the Veramo framework allows authenticated attackers to dump sensitive data from digital wallets. Tracked as GHSA-38CW-85XC-XR9X, the flaw exists in versions below 6.0.2 and stems from the `decorateQB()` function. Attackers can manipulate the `order` parameter in API requests to bypass ORM protections and exfiltrate private keys and verifiable credentials directly from the database.

The vulnerability affects the core @veramo/data-store and @veramo/data-store-json packages. It carries a CVSS score of 6.8, indicating medium severity but high impact on confidentiality and integrity. Since Veramo is a key tool for Self-Sovereign Identity (SSI), a successful exploit could compromise an entire identity wallet, undermining the trust model that these systems are built to establish.

Developers must immediately upgrade to version 6.0.2 or higher, which implements a whitelist for dynamic column names. The fix replaces vulnerable query building with strict input validation. For those running custom data stores, manually implementing the `ALLOWED_COLUMNS` check is critical. This incident underscores the persistent threat of injection attacks even in modern, decentralized identity frameworks.