CVE-2024-27304 jackc CVE debrief

Who should care

Go teams using pgx or pgproto3, especially applications that build SQL or bind payloads from untrusted input, handle very large values, or pass attacker-influenced data into PostgreSQL protocol messages. Platform and dependency owners should also check transitive usage.

Technical summary

The vulnerability is caused by an integer overflow when calculating the size of a PostgreSQL query or bind message. If an attacker can drive a single message above 4 GB, the overflow can cause the driver to transmit what should have been one message as multiple messages under attacker control. That can result in SQL injection. NVD lists affected pgx ranges below 4.18.2 and 5.0.0 through 5.5.3, and pgproto3 below 2.3.3.

Defensive priority

Critical; patch immediately if you use affected versions or any transitive dependency that can produce attacker-influenced large query/bind messages.

Recommended defensive actions

• Upgrade pgx to v4.18.2 or later, or to v5.5.4 or later.
• Upgrade pgproto3 to v2.3.3 or later.
• Audit direct and transitive dependencies to confirm whether pgx or pgproto3 are present in the build.
• Reject or strictly cap user input that could cause a single query or bind message to exceed 4 GB.
• Add tests or checks that enforce safe message-size limits in code paths that construct SQL or bind payloads.
• Review any code that concatenates or serializes attacker-controlled data into PostgreSQL protocol messages.

Evidence notes

The NVD record states that SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB and that an integer overflow can split one large message into multiple attacker-controlled messages. The same record lists the affected CPE ranges for pgx and pgproto3 and identifies the issue as critical (CVSS 9.8). GitHub Security Advisory and patch references are included for pgx and pgproto3, supporting the fixed versions cited in the record.

Official resources