connect-pg-simple@4.1.0 vulnerabilities

A simple, minimal PostgreSQL session store for Connect/Express

latest version

9.0.1
latest non vulnerable version

9.0.1
first published

10 years ago
latest version published

6 months ago
licenses detected
- MIT
  >=0
View connect-pg-simple package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the connect-pg-simple package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M SQL Injection connect-pg-simple is a minimal PostgreSQL session store for Express/Connect. Affected versions of this package are vulnerable to SQL Injection within `PGStore.prototype.quotedTable` function where user input is wrapped using double quotes. If the schemaName is set to `'web".session WHERE $1=$1;--`, it is possible to wipe the web.session table every time the prune process runs. How to fix SQL Injection? Upgrade `connect-pg-simple` to version 6.0.1 or higher.	<6.0.1

SQL Injection

connect-pg-simple is a minimal PostgreSQL session store for Express/Connect.

Affected versions of this package are vulnerable to SQL Injection within PGStore.prototype.quotedTable function where user input is wrapped using double quotes. If the schemaName is set to 'web".session WHERE $1=$1;--, it is possible to wipe the web.session table every time the prune process runs.

How to fix SQL Injection?

Upgrade connect-pg-simple to version 6.0.1 or higher.

<6.0.1

Go back to all versions of this package

connect-pg-simple@4.1.0 vulnerabilities

A simple, minimal PostgreSQL session store for Connect/Express

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities