Intel

AIKIDO-2026-836981

pg is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

58

Medium Risk

This Affects:

JSpg
7.5.0 - 8.20.0
Fixed in 8.21.0
Are you affected? Scan for Free

TL;DR

The pg client builds query result rows in packages/pg/lib/result.js by assigning server-supplied column names from RowDescription messages onto plain objects in addFields() and parseRow(). When a rogue or compromised PostgreSQL server returns column names such as __proto__, constructor, or prototype, those keys are written without sanitization and can pollute Object.prototype in the Node.js process. That can cause denial of service, unexpected behavior in downstream code, or prototype-pollution gadget abuse depending on how the application uses objects after a query. The fix creates result rows with Object.create(null) so dangerous column names are stored as ordinary properties instead of modifying inherited prototypes.

Who does this affect?

You are affected if you are using a version within the vulnerable range and your application connects to a PostgreSQL server that could be rogue or compromised, for example via DNS hijacking, a man-in-the-middle attack without TLS verification, or a compromised database host.

Background info

pg is vulnerable to Prototype Pollution in versions 7.5.0 - 8.20.0.

How to fix this

Upgrade the pg library to the patch version.