CVE-2025-29744: 
JavaScript vulnerability analysis and mitigation

CVE-2025-29744 affects pg-promise versions before 11.5.5, exposing a SQL Injection vulnerability due to improper handling of negative numbers. The vulnerability was discovered in early 2024 and publicly disclosed on June 10, 2025. The issue specifically impacts applications using pg-promise in simple query mode when handling SQL statements with negative number parameters ([Wiz], [Sonar Blog]).

The vulnerability occurs when a placeholder is directly preceded by a minus (-) and not separated by whitespace, combined with pg-promise's handling of negative numbers in simple query mode. When a negative number is inserted for the placeholder, it creates two consecutive minus signs in the query (--), which PostgreSQL interprets as the start of a line comment. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N ([NVD], [Wiz]).

When exploited, this vulnerability allows attackers to inject malicious SQL statements and potentially execute arbitrary queries. The attack can bypass the protections that parameterized queries typically provide against SQL injection attacks. The impact is particularly severe when attackers can control both a numeric parameter and a subsequent string parameter in the same query line ([Sonar Blog], [GitHub Discussion]).

The vulnerability has been patched in pg-promise version 11.5.5. The fix involves wrapping negative numbers in parentheses to prevent the creation of SQL line comments. Users are strongly recommended to upgrade to this version or later. The patch modifies the number formatting to ensure that negative numbers are properly handled ([GitHub Discussion], [Wiz]).