GHSA-m7wr-2xf7-cm9p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m7wr-2xf7-cm9p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m7wr-2xf7-cm9p
- Aliases
- Related
- Published
- 2024-03-04T20:13:11Z
- Modified
- 2025-06-13T20:45:26Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- pgx SQL Injection via Line Comment Creation
- Details
-
Impact
SQL injection can occur when all of the following conditions are met:
- The non-default simple protocol is used.
- A placeholder for a numeric value must be immediately preceded by a minus.
- There must be a second placeholder for a string value after the first placeholder; both must be on the same line.
- Both parameter values must be user-controlled.
e.g.
Simple mode must be enabled:
// connection string includes "prefer_simple_protocol=true" // or // directly enabled in code config.ConnConfig.PreferSimpleProtocol = trueParameterized query:
SELECT * FROM example WHERE result=-$1 OR name=$2;Parameter values:
$1=>-42$2=>"foo\n 1 AND 1=0 UNION SELECT * FROM secrets; --"Resulting query after preparation:
SELECT * FROM example WHERE result=--42 OR name= 'foo 1 AND 1=0 UNION SELECT * FROM secrets; --';Patches
The problem is resolved in v4.18.2.
Workarounds
Do not use the simple protocol or do not place a minus directly before a placeholder.
- Database specific
{ "nvd_published_at": "2024-03-06T19:15:08Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-89" ], "github_reviewed_at": "2024-03-04T20:13:11Z" }- References
-
- https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
- https://nvd.nist.gov/vuln/detail/CVE-2024-27289
- https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df
- https://github.com/jackc/pgx
- https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw
Affected packages
Go / github.com/jackc/pgx
Package
- Name
- github.com/jackc/pgx
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/jackc/pgx
Go / github.com/jackc/pgx/v4
Package
- Name
- github.com/jackc/pgx/v4
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/jackc/pgx/v4