Summary
pg-connection-string/index.js:82-93 calls fs.readFileSync() on unvalidated user-supplied paths from connection string parameters (sslcert, sslkey, sslrootcert). If connection strings come from untrusted sources, any file readable by the process can be exfiltrated.
Additional Findings
- Proto pollution via server-supplied column names in
pg/lib/result.js (Medium)
- SCRAM-SHA-256 accepts iteration count as low as 1 — rogue server brute-force (Medium)
- Cleartext password auth accepted silently with no opt-out (Medium)
Suggested Fix
Validate SSL file paths against an allowlist or require explicit opt-in for file reading from connection strings.
Found during automated security audit.
Summary
pg-connection-string/index.js:82-93callsfs.readFileSync()on unvalidated user-supplied paths from connection string parameters (sslcert,sslkey,sslrootcert). If connection strings come from untrusted sources, any file readable by the process can be exfiltrated.Additional Findings
pg/lib/result.js(Medium)Suggested Fix
Validate SSL file paths against an allowlist or require explicit opt-in for file reading from connection strings.
Found during automated security audit.