GHSA-j88v-2chj-qfwx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j88v-2chj-qfwx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-j88v-2chj-qfwx/GHSA-j88v-2chj-qfwx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j88v-2chj-qfwx
- Downstream
- Related
- Published
- 2026-04-22T20:46:51Z
- Modified
- 2026-04-23T14:14:14.540156283Z
- Severity
-
- 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- pgx: SQL Injection via placeholder confusion with dollar quoted string literals
- Details
-
Impact
SQL Injection can occur when:
- The non-default simple protocol is used.
- A dollar quoted string literal is used in the SQL query.
- That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
- The value of that placeholder is controllable by the attacker.
e.g.
attackValue := `$tag$; drop table canary; --` _, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)This is unlikely to occur outside of a contrived scenario.
Patches
The problem is resolved in v5.9.2.
Workarounds
Do not use the simple protocol to execute queries matching all the above conditions.
- Database specific
{ "github_reviewed": true, "nvd_published_at": null, "cwe_ids": [ "CWE-89" ], "github_reviewed_at": "2026-04-22T20:46:51Z", "severity": "LOW" }- References
Affected packages
Go / github.com/jackc/pgx/v5
Package
- Name
- github.com/jackc/pgx/v5
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/jackc/pgx/v5
Go / github.com/jackc/pgx/v4
Package
- Name
- github.com/jackc/pgx/v4
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/jackc/pgx/v4
Go / github.com/jackc/pgx
Package
- Name
- github.com/jackc/pgx
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/jackc/pgx