Homepage
About Snyk

SQL Injection Affecting pg-promise package, versions <11.5.5

0.0
medium
0
10

Snyk CVSS

    Attack Complexity High
    Scope Changed

    Threat Intelligence

    Exploit Maturity Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-PGPROMISE-6501690
  • published 27 Mar 2024
  • disclosed 21 Mar 2024
  • credit Paul Gerste
Report a new vulnerability Found a mistake?

Introduced: 21 Mar 2024

CVE NOT AVAILABLE CWE-89 Open this link in a new tab

How to fix?

Upgrade pg-promise to version 11.5.5 or higher.

Overview

pg-promise is a PostgreSQL interface for Node.js

Affected versions of this package are vulnerable to SQL Injection when using the simple query mode. Since pgFormatting is enabled by default, pg-promise escapes parameter values before inserting them into a query string.

When a placeholder is directly preceded by a minus - and not separated by any whitespace, pg-promise does not handle the particular case when a negative number is inserted for the placeholder. This leads to two consecutive minus signs in the query, turning them into the start of a line comment.

Note:

To exploit this behavior and cause SQL Injection, the following conditions must be met by a parameterized query:

  1. a placeholder for a numeric value must be immediately preceded by a minus (as described above).

  2. there must be a second placeholder for a string value after the first placeholder; both must be on the same line.

  3. both parameter values must be user-controlled