CVE-2022-25852: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

June 17, 2022 (updated November 12, 2023)

All versions of package pg-native; all versions of package libpq is vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. Note: pg-native is a mere binding to npm’s libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm’s libpq.

References

nvd.nist.gov/vuln/detail/CVE-2022-25852
snyk.io/vuln/SNYK-JS-LIBPQ-2392366
snyk.io/vuln/SNYK-JS-PGNATIVE-2392365

Code Behaviors & Features

Detect and mitigate CVE-2022-25852 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →