CVE-2017-16082

CRITICAL

Node-postgres PG < 2.11.2 - Code Injection

Title source: rule

Description

A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.

Exploits (1)

nomisec WORKING POC 5 stars
by nulldreams · poc
https://github.com/nulldreams/CVE-2017-16082

References (2)

Scores

CVSS v3 9.8
EPSS 0.7081
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (2)
node-postgres/pg 2.0.0 - 2.11.2
npm/pg 0 - 2.11.2npm
Published Jun 07, 2018
Tracked Since Feb 18, 2026