CVE-2024-27289 – github.com/jackc/pgx

Package

Manager: go
Name: github.com/jackc/pgx
Vulnerable Version: >=0 <4.18.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00182 pctl0.40137

Details

pgx SQL Injection via Line Comment Creation ### Impact SQL injection can occur when all of the following conditions are met: 1. The non-default simple protocol is used. 2. A placeholder for a numeric value must be immediately preceded by a minus. 3. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. 4. Both parameter values must be user-controlled. e.g. Simple mode must be enabled: ```go // connection string includes "prefer_simple_protocol=true" // or // directly enabled in code config.ConnConfig.PreferSimpleProtocol = true ``` Parameterized query: ```sql SELECT * FROM example WHERE result=-$1 OR name=$2; ``` Parameter values: `$1` => `-42` `$2` => `"foo\n 1 AND 1=0 UNION SELECT * FROM secrets; --"` Resulting query after preparation: ```sql SELECT * FROM example WHERE result=--42 OR name= 'foo 1 AND 1=0 UNION SELECT * FROM secrets; --'; ``` ### Patches The problem is resolved in v4.18.2. ### Workarounds Do not use the simple protocol or do not place a minus directly before a placeholder.

Metadata

Created: 2024-03-04T20:13:11Z
Modified: 2025-06-13T20:45:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-m7wr-2xf7-cm9p
Finding: F297
Auto approve: 1