{"id":"GHSA-m7wr-2xf7-cm9p","summary":"pgx SQL Injection via Line Comment Creation","details":"### Impact\n\nSQL injection can occur when all of the following conditions are met:\n\n1. The non-default simple protocol is used.\n2. A placeholder for a numeric value must be immediately preceded by a minus.\n3. There must be a second placeholder for a string value after the first placeholder; both\nmust be on the same line.\n4. Both parameter values must be user-controlled.\n\ne.g. \n\nSimple mode must be enabled:\n\n```go\n// connection string includes \"prefer_simple_protocol=true\"\n// or\n// directly enabled in code\nconfig.ConnConfig.PreferSimpleProtocol = true\n```\n\nParameterized query:\n\n```sql\nSELECT * FROM example WHERE result=-$1 OR name=$2;\n```\n\nParameter values:\n\n`$1` =\u003e `-42`\n`$2` =\u003e `\"foo\\n 1 AND 1=0 UNION SELECT * FROM secrets; --\"`\n\nResulting query after preparation:\n\n```sql\nSELECT * FROM example WHERE result=--42 OR name= 'foo\n1 AND 1=0 UNION SELECT * FROM secrets; --';\n```\n\n### Patches\n\nThe problem is resolved in v4.18.2.\n\n### Workarounds\n\nDo not use the simple protocol or do not place a minus directly before a placeholder.","aliases":["CVE-2024-27289","GO-2024-2605"],"modified":"2026-02-04T02:28:56.060398Z","published":"2024-03-04T20:13:11Z","related":["CGA-6fr5-f876-7rfw"],"database_specific":{"github_reviewed":true,"cwe_ids":["CWE-89"],"github_reviewed_at":"2024-03-04T20:13:11Z","nvd_published_at":"2024-03-06T19:15:08Z","severity":"HIGH"},"references":[{"type":"WEB","url":"https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27289"},{"type":"WEB","url":"https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"},{"type":"PACKAGE","url":"https://github.com/jackc/pgx"},{"type":"WEB","url":"https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw"}],"affected":[{"package":{"name":"github.com/jackc/pgx","ecosystem":"Go","purl":"pkg:golang/github.com/jackc/pgx"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"4.18.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json"}},{"package":{"name":"github.com/jackc/pgx/v4","ecosystem":"Go","purl":"pkg:golang/github.com/jackc/pgx/v4"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"4.18.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-m7wr-2xf7-cm9p/GHSA-m7wr-2xf7-cm9p.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}