CVE-2017-16082
Remote Code Execution vulnerability in pg (npm)

Remote Code Execution Proof of concept Fixable By Resolved Security

What is CVE-2017-16082 About?

This is a Remote Code Execution vulnerability in the `pg` package that can occur when a remote database or query specifies a crafted column name. Successful exploitation allows for arbitrary code execution on the server, posing a significant risk and can be triggered under specific scenarios with controlled input.

Affected Software

  • pg
    • <2.11.2
    • >6.4.0, <6.4.2
    • >7.0.0, <7.0.2
    • >6.0.0, <6.0.5
    • >7.1.0, <7.1.2
    • >4.0.0, <4.5.7
    • >6.3.0, <6.3.3
    • >3.0.0, <3.6.4
    • >5.0.0, <5.2.1
    • >6.1.0, <6.1.6
    • >6.2.0, <6.2.5

Technical Details

The vulnerability in pg (PostgreSQL client for Node.js) arises from improper handling of crafted column names returned from a database or specified in SQL. Specifically, if a malicious column name contains characters that are not properly escaped or sanitized before being integrated into the application's code (e.g., during result set processing), it can lead to arbitrary code execution. This is particularly relevant when: 1) The application executes user-supplied SQL that contains malicious column names, or 2) The application connects to an untrusted (malicious) database and executes a query returning results with a malicious column name. The proof of concept demonstrates injection of JavaScript code using precisely crafted column names that break out of string literals and inject console.log(process.env) into the application's execution flow.

What is the Impact of CVE-2017-16082?

Successful exploitation may allow attackers to execute arbitrary code on the server, gain full control over the application, steal sensitive data, or compromise the entire system.

What is the Exploitability of CVE-2017-16082?

Exploitation typically requires either the ability to control SQL queries executed by the application (e.g., through SQL injection) or the ability to connect the application to a malicious or compromised PostgreSQL database. This is a remote code execution vulnerability, as the crafted column name originates from a remote source (database or user input). The complexity of crafting the malicious column name is moderate, requiring an understanding of how column names are processed and incorporated into the application's runtime. No explicit authentication within the pg client is needed, but the attacker must have a means to influence the column names processed. Risk factors include applications that dynamically generate SQL queries, accept untrusted user input within WHERE clauses, or connect to external, potentially untrusted databases.

What are the Known Public Exploits?

PoC Author Link Commentary
nulldreams Link NodeJS + Postgres (Remote Code Execution) 🛰

What are the Available Fixes for CVE-2017-16082?

A Fix by Resolved Security Exists!
Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

The patch replaces manual string replacement for escaping field names with the use of the js-string-escape library, ensuring all special characters are properly escaped. This prevents attackers from injecting malicious field names that could break out of intended JavaScript context and execute arbitrary code, thereby fixing CVE-2017-16082, a code injection vulnerability via crafted field names.

Available Upgrade Options

  • pg
    • <2.11.2 → Upgrade to 2.11.2
  • pg
    • >3.0.0, <3.6.4 → Upgrade to 3.6.4
  • pg
    • >4.0.0, <4.5.7 → Upgrade to 4.5.7
  • pg
    • >5.0.0, <5.2.1 → Upgrade to 5.2.1
  • pg
    • >6.0.0, <6.0.5 → Upgrade to 6.0.5
  • pg
    • >6.1.0, <6.1.6 → Upgrade to 6.1.6
  • pg
    • >6.2.0, <6.2.5 → Upgrade to 6.2.5
  • pg
    • >6.3.0, <6.3.3 → Upgrade to 6.3.3
  • pg
    • >6.4.0, <6.4.2 → Upgrade to 6.4.2
  • pg
    • >7.0.0, <7.0.2 → Upgrade to 7.0.2
  • pg
    • >7.1.0, <7.1.2 → Upgrade to 7.1.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2017-16082?

Similar Vulnerabilities: CVE-2017-14849 , CVE-2021-23351 , CVE-2019-10468 , CVE-2022-25916 , CVE-2018-1000632

All Rights reserved 2025
Privacy Policy