{"ecosystem":"go","package":"github.com/jackc/pgx","version":null,"bugs":[{"id":969,"ecosystem":"go","package_name":"github.com/jackc/pgx","affected_version":null,"fixed_version":"4.18.2","bug_id":"osv:GHSA-mrww-27vc-gghv","title":"pgx SQL Injection via Protocol Message Size Overflow","description":"### Impact\n\nSQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.\n\n### Patches\n\nThe problem is resolved in v4.18.2 and v5.5.4.\n\n### Workarounds\n\nReject user input large enough to cause a single query or bind message to exceed 4 GB in size.\n","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8","labels":["CVE-2024-27304","GHSA-7jwh-3vrq-q3m8","GO-2024-2606"],"created_at":"2026-04-19T04:32:27.156966+00:00","updated_at":"2026-04-19T04:32:27.156966+00:00"},{"id":968,"ecosystem":"go","package_name":"github.com/jackc/pgx","affected_version":null,"fixed_version":"4.18.2","bug_id":"osv:GHSA-m7wr-2xf7-cm9p","title":"pgx SQL Injection via Line Comment Creation","description":"### Impact\n\nSQL injection can occur when all of the following conditions are met:\n\n1. The non-default simple protocol is used.\n2. A placeholder for a numeric value must be immediately preceded by a minus.\n3. There must be a second placeholder for a string value after the first placeholder; both\nmust be on the same line.\n4. Both parameter values must be user-controlled.\n\ne.g. \n\nSimple mode must be enabled:\n\n```go\n// connection string includes \"prefer_simple_protocol=true\"\n// or\n// directly enabled in code\nconfig.ConnConfig.PreferSimpleProtocol = true\n```\n\nParameterized query:\n\n```sql\nSELECT * FROM example WHERE result=-$1 OR name=$2;\n```\n\nParameter values:\n\n`$1` => `-42`\n`$2` => `\"foo\\n 1 AND 1=0 UNION SELECT * FROM secrets; --\"`\n\nResulting query after preparation:\n\n```sql\nSELECT * FROM example WHERE result=--42 OR name= 'foo\n1 AND 1=0 UNION SELECT * FROM secrets; --';\n```\n\n### Patches\n\nThe problem is resolved in v4.18.2.\n\n### Workarounds\n\nDo not use the simple protocol or do not place a minus directly before a placeholder.","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p","labels":["CVE-2024-27289","GO-2024-2605"],"created_at":"2026-04-19T04:32:27.155945+00:00","updated_at":"2026-04-19T04:32:27.155945+00:00"},{"id":971,"ecosystem":"go","package_name":"github.com/jackc/pgx","affected_version":null,"fixed_version":"2.3.3","bug_id":"osv:GO-2024-2606","title":"SQL injection in github.com/jackc/pgproto3 and github.com/jackc/pgx","description":"An integer overflow in the calculated message size of a query or bind message could allow a single large message to be sent as multiple messages under the attacker's control. This could lead to SQL injection if an attacker can cause a single query or bind message to exceed 4 GB in size.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv","labels":["CVE-2024-27304","GHSA-7jwh-3vrq-q3m8","GHSA-mrww-27vc-gghv"],"created_at":"2026-04-19T04:32:27.158290+00:00","updated_at":"2026-04-19T04:32:27.158290+00:00"},{"id":970,"ecosystem":"go","package_name":"github.com/jackc/pgx","affected_version":null,"fixed_version":"4.18.2","bug_id":"osv:GO-2024-2605","title":"SQL injection in github.com/jackc/pgx/v4","description":"SQL injection is possible when the database uses the non-default simple protocol, a minus sign directly precedes a numeric placeholder followed by a string placeholder on the same line, and both parameter values are user-controlled.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p","labels":["CVE-2024-27289","GHSA-m7wr-2xf7-cm9p"],"created_at":"2026-04-19T04:32:27.157571+00:00","updated_at":"2026-04-19T04:32:27.157571+00:00"}],"total":4,"_cache":"miss"}