Intel

AIKIDO-2026-554446

pg-connection-string is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

58

Medium Risk

This Affects:

JSpg-connection-string
2.6.0 - 2.12.0
Fixed in 2.13.0
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to prototype pollution when parsing PostgreSQL connection strings. The parse() function builds its result from URL query parameters using a plain object, so a connection string containing keys such as __proto__, constructor, or prototype can modify Object.prototype in the Node.js process. An attacker who can supply a malicious connection string could cause denial of service or, depending on downstream object usage, potentially achieve remote code execution. The fix uses null-prototype objects when assembling parsed connection-string config.

Who does this affect?

You are affected if you use a vulnerable version and pass user-controlled or otherwise untrusted PostgreSQL connection strings to parse(), toClientConfig(), or parseIntoClientConfig(). Applications that only read connection strings from trusted configuration are not exposed to this attack path.

Background info

pg-connection-string is vulnerable to Prototype Pollution in versions 2.6.0 - 2.12.0.

How to fix this

Upgrade the pg-connection-string library to version 2.13.0 or later.