PT-2022-17569 · Npm · Pg-Native+1
Cristian-Alexandru Staicu
·
Published
2022-06-17
·
Updated
2023-10-11
·
CVE-2022-25852
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
pg-native versions prior to 3.0.1
libpq versions prior to 1.8.10
Description
The issue is related to a Denial of Service (DoS) condition that occurs when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. The problem is found in pg-native, which is a binding to npm's libpq library, and may transitively impact npm's libpq.
Recommendations
For pg-native versions prior to 3.0.1, update to version 3.0.1 or later to resolve the issue.
For libpq versions prior to 1.8.10, update to version 1.8.10 or later to resolve the issue.
As a temporary workaround, consider restricting the use of the vulnerable
libpq library until a patch is available. Avoid using non-array arguments in the affected API endpoints until the issue is resolved.Exploit
Fix
Resource Exhaustion
Incorrect Type Conversion or Cast
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Libpq
Pg-Native