9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16082

GHSA ID

GHSA-wc9v-mj63-m9g5

EPSS Score

0.98638%

CWE

CWE-94

Published

7/24/2018

Updated

9/11/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16082

CVE-2017-16082: Remote Code Execution in pg

Affected versions of pg contain a remote code execution vulnerability that occurs when the remote database or query specifies a crafted column name.

There are two specific scenarios in which it is likely for an application to be vulnerable:

The application executes unsafe, user-supplied sql which contains malicious column names.
The application connects to an untrusted database and executes a query returning results which contain a malicious column name.

Proof of Concept

const { Client } = require('pg')
const client = new Client()
client.connect()

const sql = `SELECT 1 AS "\\'/*", 2 AS "\\'*/\n + console.log(process.env)] = null;\n//"`

client.query(sql, (err, res) => {
  client.end()
})

Recommendation

Version 2.x.x: Update to version 2.11.2 or later.
Version 3.x.x: Update to version 3.6.4 or later.
Version 4.x.x: Update to version 4.5.7 or later.
Version 5.x.x: Update to version 5.2.1 or later.
Version 6.x.x: Update to version 6.4.2 or later. ( Note that versions 6.1.6, 6.2.5, and 6.3.3 are also patched. )
Version 7.x.x: Update to version 7.1.2 or later. ( Note that version 7.0.2 is also patched. )

(GitHub Advisory)

9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16082

GHSA ID

GHSA-wc9v-mj63-m9g5

EPSS Score

0.98638%

CWE

CWE-94

Published

7/24/2018

Updated

9/11/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pg	npm	< 2.11.2	2.11.2
pg	npm	>= 3.0.0, < 3.6.4	3.6.4
pg	npm	>= 4.0.0, < 4.5.7	4.5.7
pg	npm	>= 5.0.0, < 5.2.1	5.2.1
pg	npm	>= 6.0.0, < 6.0.5	6.0.5
pg	npm	>= 6.1.0, < 6.1.6	6.1.6
pg	npm	>= 6.2.0, < 6.2.5	6.2.5
pg	npm	>= 6.3.0, < 6.3.3	6.3.3
pg	npm	>= 6.4.0, < 6.4.2	6.4.2
pg	npm	>= 7.0.0, < 7.0.2	7.0.2
pg	npm	>= 7.1.0, < 7.1.2	7.1.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security patches modify the inlineParser function in lib/result.js to properly escape column names. This function generates row parser code via string concatenation, and the original implementation only replaced the first single quote in column names. Attackers could craft column names with unescaped quotes to inject arbitrary JavaScript code during result parsing. The function would appear in runtime profiles when processing malicious query results, as it's directly responsible for handling column names during result set parsing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `p*` *ont*in * r*mot* *o** *x**ution vuln*r**ility t**t o**urs w**n t** r*mot* **t***s* or qu*ry sp**i*i*s * *r**t** *olumn n*m*. T**r* *r* two sp**i*i* s**n*rios in w*i** it is lik*ly *or *n *ppli**tion to ** vuln*r**l*: *. T*

Reasoning

T** s**urity p*t***s mo*i*y t** `inlin*P*rs*r` *un*tion in `li*/r*sult.js` to prop*rly *s**p* *olumn n*m*s. T*is *un*tion **n*r*t*s row p*rs*r *o** vi* strin* *on**t*n*tion, *n* t** ori*in*l impl*m*nt*tion only r*pl**** t** *irst sin*l* quot* in *olu

9.8

Basic Information

Concerned about an active attack path?

CVE-2017-16082: Remote Code Execution in pg

Proof of Concept

Recommendation

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI