7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-25852

GHSA ID

GHSA-j32j-2hxv-rqf7

EPSS Score

0.60594%

CWE

CWE-400

Published

6/18/2022

Updated

10/19/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-25852

CVE-2022-25852: pg-native and libpq vulnerable to uncontrolled resource consumption

pg-native before 3.0.1 and libpq before 1.8.10 are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. Note: pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-25852

CVE-2022-25852:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-25852

GHSA ID

GHSA-j32j-2hxv-rqf7

EPSS Score

0.60594%

CWE

CWE-400

Published

6/18/2022

Updated

10/19/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
libpq	npm	<= 1.8.9	1.8.10
pg-native	npm	<= 3.0.0	3.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security patches add array validation checks to multiple query execution methods in index.js. The vulnerable versions lacked these checks, allowing non-array parameters to trigger failed casting attempts. The added assertions in execParams, execPrepared, sendQueryParams, and sendQueryPrepared directly correlate to the CWE-400/CWE-704 vulnerabilities described. Test cases in async-socket.js and sync-parameters.js verify that non-array parameters now throw errors, confirming these were the entry points for the vulnerability. These functions would appear in runtime profiles when handling malicious parameter inputs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-25852: pg-native and libpq vulnerable to uncontrolled resource consumption

CVE-2022-25852:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

7.5

7.5

CVE-2022-25852: pg-native and libpq vulnerable to uncontrolled resource consumption

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI