SQL Injection Affecting pg-promise package, versions <11.5.5
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-PGPROMISE-6501690
- published 27 Mar 2024
- disclosed 21 Mar 2024
- credit Paul Gerste
How to fix?
Upgrade pg-promise to version 11.5.5 or higher.
Overview
pg-promise is a PostgreSQL interface for Node.js
Affected versions of this package are vulnerable to SQL Injection when using the simple query mode. Since pgFormatting is enabled by default, pg-promise escapes parameter values before inserting them into a query string.
When a placeholder is directly preceded by a minus - and not separated by any whitespace, pg-promise does not handle the particular case when a negative number is inserted for the placeholder. This leads to two consecutive minus signs in the query, turning them into the start of a line comment.
Note:
To exploit this behavior and cause SQL Injection, the following conditions must be met by a parameterized query:
a placeholder for a numeric value must be immediately preceded by a minus (as described above).
there must be a second placeholder for a string value after the first placeholder; both must be on the same line.
both parameter values must be user-controlled