pg-promise SQL Injection vulnerability

Description

pg-promise before 11.5.5 is vulnerable to SQL Injection due to improper handling of negative numbers.

Recommendation

Update the pg-promise package to the latest compatible version. Followings are version details:

• Affected version(s): < 11.5.5
• Patched version(s): 11.5.5

References

• GHSA-ff9h-848c-4xfj
• www.sonarsource.com
• CVE-2025-29744
• CWE-89
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• FUXA SQL Injection vulnerability - fuxa-server - CVE-2023-31719
• FUXA SQL Injection vulnerability - CVE-2023-31717
• LangChain serialization injection vulnerability enables secret extraction - CVE-2025-68665
• LangChain serialization injection vulnerability enables secret extraction - @langchain/core - CVE-2025-68665

You might also like:

How do hackers hack websites?

These 7 PHP mistakes leave your website open to the hackers

Exploiting Server Version Disclosure

Tags:

npm

pg-promise