connect-pg-simple@3.1.0 vulnerabilities

A simple, minimal PostgreSQL session store for Connect/Express

  • latest version

    10.0.0

  • latest non vulnerable version

  • first published

    10 years ago

  • latest version published

    3 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the connect-pg-simple package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    SQL Injection

    connect-pg-simple is a minimal PostgreSQL session store for Express/Connect.

    Affected versions of this package are vulnerable to SQL Injection within PGStore.prototype.quotedTable function where user input is wrapped using double quotes. If the schemaName is set to 'web".session WHERE $1=$1;--, it is possible to wipe the web.session table every time the prune process runs.

    How to fix SQL Injection?

    Upgrade connect-pg-simple to version 6.0.1 or higher.

    <6.0.1