pg-connection-string is vulnerable to Prototype Pollution
58
Medium Risk
Affected versions of this package are vulnerable to prototype pollution when parsing PostgreSQL connection strings. The parse() function builds its result from URL query parameters using a plain object, so a connection string containing keys such as __proto__, constructor, or prototype can modify Object.prototype in the Node.js process. An attacker who can supply a malicious connection string could cause denial of service or, depending on downstream object usage, potentially achieve remote code execution. The fix uses null-prototype objects when assembling parsed connection-string config.
You are affected if you use a vulnerable version and pass user-controlled or otherwise untrusted PostgreSQL connection strings to parse(), toClientConfig(), or parseIntoClientConfig(). Applications that only read connection strings from trusted configuration are not exposed to this attack path.
pg-connection-string is vulnerable to Prototype Pollution in versions 2.6.0 - 2.12.0.
Upgrade the pg-connection-string library to version 2.13.0 or later.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant