Title: [Security] Prototype pollution via server-supplied column names in result rows · Issue #3654 · brianc/node-postgres · GitHub
Open Graph Title: [Security] Prototype pollution via server-supplied column names in result rows · Issue #3654 · brianc/node-postgres
X Title: [Security] Prototype pollution via server-supplied column names in result rows · Issue #3654 · brianc/node-postgres
Description: Split from #3651 as suggested by @charmander. Summary When a PostgreSQL server returns column names like __proto__, constructor, or toString, these are used as object keys in result rows without any sanitization. A rogue or compromised P...
Open Graph Description: Split from #3651 as suggested by @charmander. Summary When a PostgreSQL server returns column names like __proto__, constructor, or toString, these are used as object keys in result rows without an...
X Description: Split from #3651 as suggested by @charmander. Summary When a PostgreSQL server returns column names like __proto__, constructor, or toString, these are used as object keys in result rows without an...
Opengraph URL: https://github.com/brianc/node-postgres/issues/3654
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Security] Prototype pollution via server-supplied column names in result rows","articleBody":"Split from #3651 as suggested by @charmander.\n\n## Summary\n\nWhen a PostgreSQL server returns column names like `__proto__`, `constructor`, or `toString`, these are used as object keys in result rows without any sanitization. A rogue or compromised PostgreSQL server can exploit this to pollute `Object.prototype` on the client.\n\n## Affected code\n\n`packages/pg/lib/result.js` — both `addFields()` and `parseRow()`:\n\n```js\n// addFields() builds the pre-built empty result object:\nconst row = {}\nfor (let i = 0; i \u003c fieldDescriptions.length; i++) {\n const desc = fieldDescriptions[i]\n row[desc.name] = null // desc.name comes from server\n}\nthis._prebuiltEmptyResultObject = { ...row }\n\n// parseRow() assigns parsed values using server-supplied field names:\nparseRow(rowData) {\n const row = { ...this._prebuiltEmptyResultObject }\n for (let i = 0, len = rowData.length; i \u003c len; i++) {\n const field = this.fields[i].name // server-controlled\n row[field] = this._parsers[i](v) // value also server-controlled\n }\n return row\n}\n```\n\n## Threat model\n\nThis is a **rogue server** scenario, not a trusted-config issue. If a client connects to a malicious PostgreSQL server (e.g. via DNS hijack, MITM without TLS verification, or a compromised host), the server controls the column names in `RowDescription` messages. A column named `__proto__` with a crafted value can pollute the prototype chain of all objects in the Node.js process.\n\n## Steps to reproduce\n\n1. Set up a mock PostgreSQL server that returns a `RowDescription` with a field named `__proto__` and a `DataRow` with the value `{\"polluted\": true}` (as a JSON/text column)\n2. Connect a `pg` client to this server and execute any query\n3. After the result is parsed, check `({}).polluted` — it will be `true`\n\n## Impact\n\n- Denial of service (crash or undefined behavior in downstream code)\n- Potential RCE depending on how the application uses objects after pollution\n\n## Suggested fix\n\nUse `Object.create(null)` instead of `{}` for result rows, or reject/rename column names that collide with `Object.prototype` properties:\n\n```js\nconst row = Object.create(null)\n```","author":{"url":"https://github.com/eddieran","@type":"Person","name":"eddieran"},"datePublished":"2026-04-13T09:19:04.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/3654/node-postgres/issues/3654"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:5f66b2c3-8b55-4da0-cc88-17f7c40d8859 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | A71C:25435F:2F2FCE:430826:6A4BC3FE |
| html-safe-nonce | a98da8cd4b2a8bc451c23430f8c5a965302a0ad36c665f1b0f6cef8e86893fc1 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBNzFDOjI1NDM1RjoyRjJGQ0U6NDMwODI2OjZBNEJDM0ZFIiwidmlzaXRvcl9pZCI6IjMwMTY4NzQ1MjQ3MjcyOTcwMjIiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 4ea431a320eeac7005ed70e90328cba3a66001fc819e3808e43a93a7d49f937c |
| hovercard-subject-tag | issue:4253073426 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/brianc/node-postgres/3654/issue_layout |
| twitter:image | https://opengraph.githubassets.com/db9f41cfdb3178af2b577cb7f35a288fc82e8273ebbd27a54a515ea9d2f9380a/brianc/node-postgres/issues/3654 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/db9f41cfdb3178af2b577cb7f35a288fc82e8273ebbd27a54a515ea9d2f9380a/brianc/node-postgres/issues/3654 |
| og:image:alt | Split from #3651 as suggested by @charmander. Summary When a PostgreSQL server returns column names like __proto__, constructor, or toString, these are used as object keys in result rows without an... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | eddieran |
| hostname | github.com |
| expected-hostname | github.com |
| None | 14aa00ce5bdb34d0eefb5facbffd7de9e144c688d8a93ef8df902d5f94b51dd7 |
| turbo-cache-control | no-preview |
| go-import | github.com/brianc/node-postgres git https://github.com/brianc/node-postgres.git |
| octolytics-dimension-user_id | 50081 |
| octolytics-dimension-user_login | brianc |
| octolytics-dimension-repository_id | 991475 |
| octolytics-dimension-repository_nwo | brianc/node-postgres |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 991475 |
| octolytics-dimension-repository_network_root_nwo | brianc/node-postgres |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 58b8f89190447502561829f30862aa0a99d53367 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width