CNNVD-202506-1687 Information

CNNVD ID

CNNVD-202506-1687

Related CVE

CVE-2025-29744

• CNNVD Published: 2025-06-12

Description (Chinese)

pg-promise是Vitaly Tomilov个人开发者的一个Node.js的PostgreSQL接口。 pg-promise 11.5.5之前版本存在安全漏洞，该漏洞源于对负数的处理不当，可能导致SQL注入。

Description (English)

pg-promise is the PostgreSQL interface of Node.js, a Vitaly Tomilov personal developer. There was a security loophole in the previous version of pg-promise 11.5.5, which stemmed from the mishandling of negative numbers, which could lead to the injection of SQL.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

个人开发者

Published

2025-06-12

Last Modified

2026-02-24

References

https://github.com/vitaly-t/pg-promise/discussions/911 https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/ https://nvd.nist.gov/vuln/detail/CVE-2025-29744

Patch

https://github.com/vitaly-t/pg-promise/releases