CVE-2017-16082

CRITICAL

Node-postgres PG < 2.11.2 - Code Injection

Title source: rule

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-16082. PoCs published by nulldreams.

AI-analyzed exploit summary This repository contains a working proof-of-concept for CVE-2017-16082, demonstrating remote code execution in the 'pg' Node.js PostgreSQL client via crafted column names. The exploit leverages unsafe SQL query handling to inject JavaScript code execution.

Description

A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.

Exploits (1)

nomisec WORKING POC 5 stars

by nulldreams · poc

https://github.com/nulldreams/CVE-2017-16082

View Code ZIP pw:eip

This repository contains a working proof-of-concept for CVE-2017-16082, demonstrating remote code execution in the 'pg' Node.js PostgreSQL client via crafted column names. The exploit leverages unsafe SQL query handling to inject JavaScript code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: pg (Node.js PostgreSQL client) versions before 2.11.2, 3.6.4, 4.5.7, 5.2.1, 6.4.2, and 7.1.2

No auth needed

Prerequisites: Network access to a vulnerable application using the 'pg' client · Ability to supply crafted column names via SQL queries

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability

Exploit, Third Party Advisory x_refsource_misc

https://nodesecurity.io/advisories/521

Scores

CVSS v3 9.8

EPSS 0.7081

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

node-postgres/pg 2.0.0 - 2.11.2

npm/pg 0 - 2.11.2npm

Published Jun 07, 2018

Tracked Since Feb 18, 2026