7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-25852

GHSA ID

GHSA-j32j-2hxv-rqf7

EPSS Score

0.60594%

CWE

CWE-400

Published

6/18/2022

Updated

10/19/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-25852

CVE-2022-25852: pg-native and libpq vulnerable to uncontrolled resource consumption

pg-native before 3.0.1 and libpq before 1.8.10 are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. Note: pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-25852

GHSA ID

GHSA-j32j-2hxv-rqf7

EPSS Score

0.60594%

CWE

CWE-400

Published

6/18/2022

Updated

10/19/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
libpq	npm	<= 1.8.9	1.8.10
pg-native	npm	<= 3.0.0	3.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security patches add array validation checks to multiple query execution methods in index.js. The vulnerable versions lacked these checks, allowing non-array parameters to trigger failed casting attempts. The added assertions in execParams, execPrepared, sendQueryParams, and sendQueryPrepared directly correlate to the CWE-400/CWE-704 vulnerabilities described. Test cases in async-socket.js and sync-parameters.js verify that non-array parameters now throw errors, confirming these were the entry points for the vulnerability. These functions would appear in runtime profiles when handling malicious parameter inputs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

p*-n*tiv* ***or* *.*.* *n* li*pq ***or* *.*.** *r* vuln*r**l* to **ni*l o* S*rvi** (*oS) w**n t** ***ons *tt*mpt to **st t** s**on* *r*um*nt to *n *rr*y *n* **il. T*is **pp*ns *or *v*ry non-*rr*y *r*um*nt p*ss**. **Not*:** p*-n*tiv* is * m*r* *in*in*

Reasoning

T** s**urity p*t***s *** *rr*y `v*li**tion` ****ks to multipl* qu*ry *x**ution m*t*o*s in `in**x.js`. T** vuln*r**l* v*rsions l**k** t**s* ****ks, *llowin* non-*rr*y p*r*m*t*rs to tri***r **il** **stin* *tt*mpts. T** ***** *ss*rtions in `*x**P*r*ms`,

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-25852: pg-native and libpq vulnerable to uncontrolled resource consumption

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI