{"ecosystem":"go","package":"github.com/jackc/pgx/v5","version":null,"bugs":[{"id":1323,"ecosystem":"go","package_name":"github.com/jackc/pgx/v5","affected_version":null,"fixed_version":"4.18.2","bug_id":"osv:GHSA-mrww-27vc-gghv","title":"pgx SQL Injection via Protocol Message Size Overflow","description":"### Impact\n\nSQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.\n\n### Patches\n\nThe problem is resolved in v4.18.2 and v5.5.4.\n\n### Workarounds\n\nReject user input large enough to cause a single query or bind message to exceed 4 GB in size.\n","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8","labels":["CVE-2024-27304","GHSA-7jwh-3vrq-q3m8","GO-2024-2606"],"created_at":"2026-04-19T04:32:46.901262+00:00","updated_at":"2026-04-19T04:32:46.901262+00:00"},{"id":1327,"ecosystem":"go","package_name":"github.com/jackc/pgx/v5","affected_version":null,"fixed_version":"5.9.0","bug_id":"osv:GO-2026-4772","title":"CVE-2026-33816 in github.com/jackc/pgx","description":"Memory-safety vulnerability in github.com/jackc/pgx/v5.","severity":"medium","status":"fixed","source":"osv","source_url":"https://osv.dev/vulnerability/GO-2026-4772","labels":["CVE-2026-33816","GHSA-9jj7-4m8r-rfcm"],"created_at":"2026-04-19T04:32:46.903156+00:00","updated_at":"2026-04-19T04:32:46.903156+00:00"},{"id":1326,"ecosystem":"go","package_name":"github.com/jackc/pgx/v5","affected_version":null,"fixed_version":"5.9.0","bug_id":"osv:GO-2026-4771","title":"CVE-2026-33815 in github.com/jackc/pgx","description":"Memory-safety vulnerability in github.com/jackc/pgx/v5.","severity":"medium","status":"fixed","source":"osv","source_url":"https://osv.dev/vulnerability/GO-2026-4771","labels":["CVE-2026-33815","GHSA-xgrm-4fwx-7qm8"],"created_at":"2026-04-19T04:32:46.902716+00:00","updated_at":"2026-04-19T04:32:46.902716+00:00"},{"id":1325,"ecosystem":"go","package_name":"github.com/jackc/pgx/v5","affected_version":null,"fixed_version":"2.3.3","bug_id":"osv:GO-2024-2606","title":"SQL injection in github.com/jackc/pgproto3 and github.com/jackc/pgx","description":"An integer overflow in the calculated message size of a query or bind message could allow a single large message to be sent as multiple messages under the attacker's control. This could lead to SQL injection if an attacker can cause a single query or bind message to exceed 4 GB in size.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv","labels":["CVE-2024-27304","GHSA-7jwh-3vrq-q3m8","GHSA-mrww-27vc-gghv"],"created_at":"2026-04-19T04:32:46.902267+00:00","updated_at":"2026-04-19T04:32:46.902267+00:00"},{"id":1324,"ecosystem":"go","package_name":"github.com/jackc/pgx/v5","affected_version":"5.0.0-alpha.5","fixed_version":"5.5.2","bug_id":"osv:GO-2024-2567","title":"Panic in Pipeline when PgConn is busy or closed in github.com/jackc/pgx","description":"Pipeline can panic when PgConn is busy or closed.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/jackc/pgx/commit/dfd198003a03dbb96e4607b0d3a0bb9a7398ccb7","labels":["GHSA-fqpg-rq76-99pq"],"created_at":"2026-04-19T04:32:46.901829+00:00","updated_at":"2026-04-19T04:32:46.901829+00:00"},{"id":1322,"ecosystem":"go","package_name":"github.com/jackc/pgx/v5","affected_version":null,"fixed_version":"5.5.2","bug_id":"osv:GHSA-fqpg-rq76-99pq","title":"Panic in Pipeline when PgConn is busy or closed in github.com/jackc/pgx","description":"Pipeline can panic when PgConn is busy or closed.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/jackc/pgx/commit/dfd198003a03dbb96e4607b0d3a0bb9a7398ccb7","labels":["GO-2024-2567"],"created_at":"2026-04-19T04:32:46.900671+00:00","updated_at":"2026-04-19T04:32:46.900671+00:00"},{"id":1321,"ecosystem":"go","package_name":"github.com/jackc/pgx/v5","affected_version":null,"fixed_version":"5.9.0","bug_id":"osv:GHSA-9jj7-4m8r-rfcm","title":"Memory-safety vulnerability in github.com/jackc/pgx/v5.","description":"Memory-safety vulnerability in github.com/jackc/pgx/v5.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33816","labels":["CVE-2026-33816","GO-2026-4772"],"created_at":"2026-04-19T04:32:46.899520+00:00","updated_at":"2026-04-19T04:32:46.899520+00:00"}],"total":7,"_cache":"miss"}