Home > Vulnerability Database > CVE-2022-25852

Mend.io Vulnerability Database

CVE-2022-25852

Good to know:

Date: June 17, 2022

All versions of package pg-native; all versions of package libpq are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. Note: pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.

Language: JS

Severity Score

7.5

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-25852

Url: https://github.com/brianc/node-libpq/issues/84

Url: https://github.com/brianc/node-libpq/pull/86

Url: https://www.mend.io/vulnerability-database/CVE-2022-25852

Severity Score

7.5

Weakness Type (CWE)

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CWE-88

Incorrect Type Conversion or Cast

CWE-704

Uncontrolled Resource Consumption

CWE-400

Top Fix

Upgrade Version

Upgrade to version libpq - 1.8.10;pg-native - 3.0.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-25852

Good to know:

Date: June 17, 2022

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?