pg is vulnerable to Prototype Pollution
58
Medium Risk
The pg client builds query result rows in packages/pg/lib/result.js by assigning server-supplied column names from RowDescription messages onto plain objects in addFields() and parseRow(). When a rogue or compromised PostgreSQL server returns column names such as __proto__, constructor, or prototype, those keys are written without sanitization and can pollute Object.prototype in the Node.js process. That can cause denial of service, unexpected behavior in downstream code, or prototype-pollution gadget abuse depending on how the application uses objects after a query. The fix creates result rows with Object.create(null) so dangerous column names are stored as ordinary properties instead of modifying inherited prototypes.
You are affected if you are using a version within the vulnerable range and your application connects to a PostgreSQL server that could be rogue or compromised, for example via DNS hijacking, a man-in-the-middle attack without TLS verification, or a compromised database host.
pg is vulnerable to Prototype Pollution in versions 7.5.0 - 8.20.0.
Upgrade the pg library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant