Question 1

Is there a bug in github.com/jackc/pgx/v5?

Accepted Answer

pgx SQL Injection via Protocol Message Size Overflow ### Impact

SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

### Patches

The problem is resolved in v4.18.2 and v5.5.4.

### Workarounds

Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.
 Fixed in github.com/jackc/pgx/v5 4.18.2.

Question 2

Is there a bug in github.com/jackc/pgx/v5?

Accepted Answer

CVE-2026-33816 in github.com/jackc/pgx Memory-safety vulnerability in github.com/jackc/pgx/v5. Fixed in github.com/jackc/pgx/v5 5.9.0.

Question 3

Is there a bug in github.com/jackc/pgx/v5?

Accepted Answer

CVE-2026-33815 in github.com/jackc/pgx Memory-safety vulnerability in github.com/jackc/pgx/v5. Fixed in github.com/jackc/pgx/v5 5.9.0.

Question 4

Is there a bug in github.com/jackc/pgx/v5?

Accepted Answer

SQL injection in github.com/jackc/pgproto3 and github.com/jackc/pgx An integer overflow in the calculated message size of a query or bind message could allow a single large message to be sent as multiple messages under the attacker's control. This could lead to SQL injection if an attacker can cause a single query or bind message to exceed 4 GB in size. Fixed in github.com/jackc/pgx/v5 2.3.3.

Question 5

Is there a bug in github.com/jackc/pgx/v5 5.0.0-alpha.5?

Accepted Answer

Panic in Pipeline when PgConn is busy or closed in github.com/jackc/pgx Pipeline can panic when PgConn is busy or closed. Fixed in github.com/jackc/pgx/v5 5.5.2.

Question 6

Is there a bug in github.com/jackc/pgx/v5?

Accepted Answer

Panic in Pipeline when PgConn is busy or closed in github.com/jackc/pgx Pipeline can panic when PgConn is busy or closed. Fixed in github.com/jackc/pgx/v5 5.5.2.

Question 7

Is there a bug in github.com/jackc/pgx/v5?

Accepted Answer

Memory-safety vulnerability in github.com/jackc/pgx/v5. Memory-safety vulnerability in github.com/jackc/pgx/v5. Fixed in github.com/jackc/pgx/v5 5.9.0.

Severity	Affected	Fixed in	Title	Status	Source
high	any	4.18.2	pgx SQL Injection via Protocol Message Size Overflow ### Impact SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. ### Patches The problem is resolved in v4.18.2 and v5.5.4. ### Workarounds Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.	fixed	osv:GHSA-mrww-27vc-gghv
medium	any	5.9.0	CVE-2026-33816 in github.com/jackc/pgx Memory-safety vulnerability in github.com/jackc/pgx/v5.	fixed	osv:GO-2026-4772
medium	any	5.9.0	CVE-2026-33815 in github.com/jackc/pgx Memory-safety vulnerability in github.com/jackc/pgx/v5.	fixed	osv:GO-2026-4771
medium	any	2.3.3	SQL injection in github.com/jackc/pgproto3 and github.com/jackc/pgx An integer overflow in the calculated message size of a query or bind message could allow a single large message to be sent as multiple messages under the attacker's control. This could lead to SQL injection if an attacker can cause a single query or bind message to exceed 4 GB in size.	fixed	osv:GO-2024-2606
medium	5.0.0-alpha.5	5.5.2	Panic in Pipeline when PgConn is busy or closed in github.com/jackc/pgx Pipeline can panic when PgConn is busy or closed.	fixed	osv:GO-2024-2567
medium	any	5.5.2	Panic in Pipeline when PgConn is busy or closed in github.com/jackc/pgx Pipeline can panic when PgConn is busy or closed.	fixed	osv:GHSA-fqpg-rq76-99pq
critical	any	5.9.0	Memory-safety vulnerability in github.com/jackc/pgx/v5. Memory-safety vulnerability in github.com/jackc/pgx/v5.	fixed	osv:GHSA-9jj7-4m8r-rfcm

github.com/jackc/pgx/v5 known bugs