Back to CVE Browser

CVE-2024-27304

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.1930%

EPSS Percentile30.88th

PublishedMar 6, 2024

Last ModifiedMay 21, 2026

Vulnerability Description

pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

Affected Platforms (CPE)

📦

Jackc

Pgproto3

< 2.3.3

📦

Jackc

Pgx

< 4.18.2

📦

Jackc

Pgx

>= 5.0.0 and < 5.5.4

References & Advisories

🔗 https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007

🔗 https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8

🔗 https://github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4

🔗 https://github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8

🔗 https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df

🔗 https://github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghv

🔗 https://www.youtube.com/watch?v=Tfg1B8u1yvE

🔗 https://github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007

Related Vulnerabilities

CVE-2024-1315210.0

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSS Software Mobuy Online Ma...

CVE-2024-309410.0

Backdoor in upstream xz-utils package allows SSH remote code execution (XZ Utils backdoor). Malicious code was discovered in the u...

CVE-2024-56189.9

Incorrect Permission Assignment for Critical Resource vulnerability in PruvaSoft Informatics Apinizer Management Console allows Ac...

CVE-2024-89509.9

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arne Informatics Piramit Aut...