CVE-2022-43441

Name of the Vulnerable Software and Affected Versions node-sqlite3 versions 5.0.0 through 5.1.4

Description A code execution issue exists in the Statement Bindings functionality of node-sqlite3. This can be triggered by a specially-crafted Javascript file, allowing for arbitrary code execution. An attacker can provide malicious input to exploit this issue. The vulnerability can also lead to denial-of-service if a binding parameter is a crafted Object.

Recommendations For node-sqlite3 versions 5.0.0 through 5.1.4, upgrade to version 5.1.5 or later to resolve the issue. As a temporary workaround, ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.