CVE-2019-15658: SQL Injection in connect-pg-simple
7.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.42963%
CWE
Published
8/26/2019
Updated
1/11/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
connect-pg-simple | npm | < 6.0.1 | 6.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper sanitization of schemaName and tableName parameters used in SQL queries. Multiple sources reference the quotedTable
function as constructing identifiers by wrapping user inputs in double quotes without proper escaping. The Snyk.io report specifically demonstrates how malicious schemaName values could manipulate query structure. The function's direct use of user-provided strings in SQL identifier positions makes it the clear injection vector.