Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qMzJqLTJoeHYtcnFmN84AArte
pg-native and libpq vulnerable to uncontrolled resource consumption
pg-native before 3.0.1 and libpq before 1.8.10 are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. Note: pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.
Permalink: https://github.com/advisories/GHSA-j32j-2hxv-rqf7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qMzJqLTJoeHYtcnFmN84AArte
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 7 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-j32j-2hxv-rqf7, CVE-2022-25852
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25852
- https://snyk.io/vuln/SNYK-JS-LIBPQ-2392366
- https://snyk.io/vuln/SNYK-JS-PGNATIVE-2392365
- https://github.com/brianc/node-libpq/issues/84
- https://github.com/brianc/node-libpq/pull/86
- https://github.com/advisories/GHSA-j32j-2hxv-rqf7
Blast Radius: 27.9
Affected Packages
npm:pg-native
Dependent packages: 293Dependent repositories: 5,241
Downloads: 933,371 last month
Affected Version Ranges: <= 3.0.0
Fixed in: 3.0.1
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.10.1, 2.0.0, 2.0.1, 2.2.0, 3.0.0
All unaffected versions: 3.0.1
npm:libpq
Dependent packages: 6Dependent repositories: 1,463
Downloads: 672,376 last month
Affected Version Ranges: <= 1.8.9
Fixed in: 1.8.10
All affected versions: 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9
All unaffected versions: 1.8.10, 1.8.11, 1.8.12