CVE-2022-25852: pg-native and libpq vulnerable to uncontrolled resource consumption
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.60594%
CWE
Published
6/18/2022
Updated
10/19/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| libpq | npm | <= 1.8.9 | 1.8.10 |
| pg-native | npm | <= 3.0.0 | 3.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The security patches add array validation checks to multiple query execution methods in index.js. The vulnerable versions lacked these checks, allowing non-array parameters to trigger failed casting attempts. The added assertions in execParams, execPrepared, sendQueryParams, and sendQueryPrepared directly correlate to the CWE-400/CWE-704 vulnerabilities described. Test cases in async-socket.js and sync-parameters.js verify that non-array parameters now throw errors, confirming these were the entry points for the vulnerability. These functions would appear in runtime profiles when handling malicious parameter inputs.