CVE-2024-27289 jackc CVE debrief

Who should care

Teams running Go applications that use pgx, especially codebases that enable the simple protocol or build SQL with user-controlled numeric and string parameters. Security and platform teams should also review any shared query helpers or database abstraction layers that might emit the affected pattern.

Technical summary

NVD records CVE-2024-27289 as a SQL injection issue in jackc:pgx with a version boundary excluding 4.18.2 and rates it CVSS 3.1 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability is tied to the non-default simple protocol and a narrow query construction pattern: a numeric placeholder immediately preceded by a minus, followed later on the same line by a string placeholder, with both values user-controlled. The upstream fix is in pgx 4.18.2.

Defensive priority

High for any deployment that uses pgx before 4.18.2 and can reach the affected simple-protocol query pattern. If your application does not use simple protocol or does not construct SQL in the described form, urgency is lower, but version review is still recommended.

Recommended defensive actions

• Upgrade pgx to version 4.18.2 or later.
• Inventory where the simple protocol is enabled and confirm whether it is necessary.
• Review SQL generation for the affected pattern: a minus directly before a numeric placeholder with a string placeholder later on the same line.
• If immediate upgrade is not possible, avoid the simple protocol in affected code paths.
• Use the linked vendor advisory and patch commit to validate remediation and compare the affected code path against upstream fixes.

Evidence notes

The NVD record for CVE-2024-27289 identifies jackc/pgx as the affected product, lists the vulnerable version range as ending before 4.18.2, classifies the weakness as CWE-89, and assigns CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1 High). NVD also links the upstream patch commit, the GitHub Security Advisory, and a third-party analysis reference.

Official resources