CVE-2022-25852
pg-native and libpq vulnerable to uncontrolled resource consumption
7.5
HIGH
CVSS 3.1
EPSS 0.43%
描述
pg-native before 3.0.1 and libpq before 1.8.10 are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. **Note:** pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.
如何修補 CVE-2022-25852
要修補 CVE-2022-25852,請將受影響套件升級到下列已修補版本。
- —升級至 1.8.10 或更新版本
- —升級至 3.0.1 或更新版本
CVE-2022-25852 正在被利用嗎?
低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- from 0, < 1.8.10
- from 0, < 3.0.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |