pg-promise@5.4.1 vulnerabilities

PostgreSQL interface for Node.js

Direct Vulnerabilities

Known vulnerabilities in the pg-promise package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
SQL Injection

pg-promise is a PostgreSQL interface for Node.js

Affected versions of this package are vulnerable to SQL Injection when using the simple query mode. Since pgFormatting is enabled by default, pg-promise escapes parameter values before inserting them into a query string.

When a placeholder is directly preceded by a minus - and not separated by any whitespace, pg-promise does not handle the particular case when a negative number is inserted for the placeholder. This leads to two consecutive minus signs in the query, turning them into the start of a line comment.

Note:

To exploit this behavior and cause SQL Injection, the following conditions must be met by a parameterized query:

  1. a placeholder for a numeric value must be immediately preceded by a minus (as described above).

  2. there must be a second placeholder for a string value after the first placeholder; both must be on the same line.

  3. both parameter values must be user-controlled

How to fix SQL Injection?

Upgrade pg-promise to version 11.5.5 or higher.

<11.5.5