Advisories for Npm/Sqlite3 package

2023

sqlite vulnerable to code execution due to Object coercion

Due to the underlying implementation of .ToString(), it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object. Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.

2022

Denial-of-Service due to fatal error when binding invalid parameters

The package sqlite3 before 5.0.3 is vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.