CVE-2022-25852 — HIGH (7.5)

Vulnerability Description

All versions of package pg-native; all versions of package libpq are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. **Note:** pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libpq Project	Libpq	All versions
Pg-Native Project	Pg-Native	All versions

Related Weaknesses (CWE)

CWE-704

References

https://snyk.io/vuln/SNYK-JS-LIBPQ-2392366ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-JS-PGNATIVE-2392365ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-JS-LIBPQ-2392366ExploitThird Party Advisory
https://snyk.io/vuln/SNYK-JS-PGNATIVE-2392365ExploitThird Party Advisory

FAQ

What is CVE-2022-25852?

CVE-2022-25852 is a vulnerability with a CVSS score of 7.5 (HIGH). All versions of package pg-native; all versions of package libpq are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for ev...

How severe is CVE-2022-25852?

CVE-2022-25852 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-25852?

Check the references section above for vendor advisories and patch information. Affected products include: Libpq Project Libpq, Pg-Native Project Pg-Native.