pg-promise@2.9.1 vulnerabilities

PostgreSQL interface for Node.js

latest version

11.10.2

latest non vulnerable version

11.10.2

first published

9 years ago

latest version published

1 months ago

licenses detected

MIT
>=0.1.3

View pg-promise package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the pg-promise package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M SQL Injection pg-promise is a PostgreSQL interface for Node.js Affected versions of this package are vulnerable to SQL Injection when using the simple query mode. Since `pgFormatting` is enabled by default, pg-promise escapes parameter values before inserting them into a query string. When a placeholder is directly preceded by a minus `-` and not separated by any whitespace, pg-promise does not handle the particular case when a negative number is inserted for the placeholder. This leads to two consecutive minus signs in the query, turning them into the start of a line comment. Note: To exploit this behavior and cause SQL Injection, the following conditions must be met by a parameterized query: a placeholder for a numeric value must be immediately preceded by a minus (as described above). there must be a second placeholder for a string value after the first placeholder; both must be on the same line. both parameter values must be user-controlled How to fix SQL Injection? Upgrade `pg-promise` to version 11.5.5 or higher.	<11.5.5

SQL Injection

pg-promise is a PostgreSQL interface for Node.js

Affected versions of this package are vulnerable to SQL Injection when using the simple query mode. Since pgFormatting is enabled by default, pg-promise escapes parameter values before inserting them into a query string.

When a placeholder is directly preceded by a minus - and not separated by any whitespace, pg-promise does not handle the particular case when a negative number is inserted for the placeholder. This leads to two consecutive minus signs in the query, turning them into the start of a line comment.

Note:

To exploit this behavior and cause SQL Injection, the following conditions must be met by a parameterized query:

a placeholder for a numeric value must be immediately preceded by a minus (as described above).
there must be a second placeholder for a string value after the first placeholder; both must be on the same line.
both parameter values must be user-controlled

How to fix SQL Injection?

Upgrade pg-promise to version 11.5.5 or higher.

<11.5.5

Go back to all versions of this package