CVE-2022-25852 – pg-native

Package

Manager: npm
Name: pg-native
Vulnerable Version: >=0 <3.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00411 pctl0.60611

Details

pg-native and libpq vulnerable to uncontrolled resource consumption pg-native before 3.0.1 and libpq before 1.8.10 are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. **Note:** pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.

Metadata

Created: 2022-06-18T00:00:20Z
Modified: 2023-10-19T18:45:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-j32j-2hxv-rqf7/GHSA-j32j-2hxv-rqf7.json
CWE IDs: ["CWE-400", "CWE-704"]
Alternative ID: GHSA-j32j-2hxv-rqf7
Finding: F067
Auto approve: 1