CVE-2025-29744
MEDIUMpg-promise < 11.5.5 - SQL Injection via Negative Number Handling
Title source: llmDescription
pg-promise before 11.5.5 is vulnerable to SQL Injection due to improper handling of negative numbers.
References (2)
Core 2
Core References
Exploit, Issue Tracking
https://github.com/vitaly-t/pg-promise/discussions/911
Exploit, Third Party Advisory
https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/
Scores
CVSS v3
5.4
EPSS
0.0011
EPSS Percentile
29.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
npm/pg-promise
0 - 11.5.5npm
vitaly-t/pg-promise
< 11.5.5
Published
Jun 12, 2025
Tracked Since
Feb 18, 2026