pg-promise@1.5.0 vulnerabilities

PostgreSQL interface for Node.js

  • latest version

    11.10.2

  • latest non vulnerable version

  • first published

    9 years ago

  • latest version published

    1 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the pg-promise package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    SQL Injection

    pg-promise is a PostgreSQL interface for Node.js

    Affected versions of this package are vulnerable to SQL Injection when using the simple query mode. Since pgFormatting is enabled by default, pg-promise escapes parameter values before inserting them into a query string.

    When a placeholder is directly preceded by a minus - and not separated by any whitespace, pg-promise does not handle the particular case when a negative number is inserted for the placeholder. This leads to two consecutive minus signs in the query, turning them into the start of a line comment.

    Note:

    To exploit this behavior and cause SQL Injection, the following conditions must be met by a parameterized query:

    1. a placeholder for a numeric value must be immediately preceded by a minus (as described above).

    2. there must be a second placeholder for a string value after the first placeholder; both must be on the same line.

    3. both parameter values must be user-controlled

    How to fix SQL Injection?

    Upgrade pg-promise to version 11.5.5 or higher.

    <11.5.5