CVE-2022-43441: Code execution vulnerability due to Object coercion

Due to JSON format limitations, the vulnerability only manifests itself as a remote denial of service in Ghost CMS, which crashes the Node.js process. However, the vulnerability could potentially lead to remote code execution in other products that use it.

Debian Linux Security Advisory 5373-1 - Dave McDaniel discovered that the SQLite3 bindings for Node.js were susceptible to the execution of arbitrary JavaScript code if a binding parameter is a crafted object.

### Impact Due to the underlying implementation of `.ToString()`, it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object. Users of `sqlite3` v5.0.0 - v5.1.4 are affected by this. ### Patches Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later. ### Workarounds * Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters. ### References * Commit: https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781 ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected]) Credits: Dave McDaniel of Cisco Talos