## pg-promise SQL Injection Vulnerability (CVE-2025-29744) Forces Critical Update to v11.5.5
A critical SQL injection vulnerability in the widely-used Node.js library pg-promise has triggered an urgent security update. The flaw, tracked as CVE-2025-29744, affects all versions before 11.5.5 and stems from the library's improper handling of negative numbers, creating a direct path for attackers to manipulate database queries. This is not a theoretical risk; it is a concrete, exploitable weakness in a core dependency for countless applications that interact with PostgreSQL databases.

The vulnerability resides within the pg-promise package itself, a popular interface for PostgreSQL in Node.js environments. The specific failure involves how the library's internal formatting logic processes negative numeric inputs, which can be manipulated to bypass parameterization and inject arbitrary SQL code. The maintainers have released version 11.5.5 to patch this security hole, marking it as a major update from the previous 10.x branch.

This disclosure places immediate pressure on development and security teams across the software industry. Any application using an outdated version of pg-promise is now exposed, potentially allowing unauthorized database access, data theft, or destruction. The update is being pushed via automated dependency managers like RenovateBot, but manual intervention is required for merging the pull request. The incident underscores the persistent threat lurking in software supply chains, where a single, widely-adopted library can become a critical point of failure for thousands of projects simultaneously.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, sql-injection, nodejs, postgresql
- **Credibility**: unverified
- **Published**: 2026-04-03 21:27:16
- **ID**: 49529
- **URL**: https://whisperx.ai/en/intel/49529