Skip to content

pgproto3 SQL Injection via Protocol Message Size Overflow

Moderate severity GitHub Reviewed Published Mar 4, 2024 in jackc/pgproto3 • Updated Mar 14, 2024

Package

gomod github.com/jackc/pgproto3 (Go)

Affected versions

< 2.3.3

Patched versions

2.3.3
gomod github.com/jackc/pgproto3/v2 (Go)
< 2.3.3
2.3.3
gomod github.com/jackc/pgx/v4 (Go)
< 4.18.2
4.18.2
gomod github.com/jackc/pgx/v5 (Go)
>= 5.0.0, < 5.5.4
5.5.4

Description

Impact

SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Patches

The problem is resolved in v2.3.3

Workarounds

Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

References

@jackc jackc published to jackc/pgproto3 Mar 4, 2024
Published to the GitHub Advisory Database Mar 4, 2024
Reviewed Mar 4, 2024
Last updated Mar 14, 2024

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-7jwh-3vrq-q3m8

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.