Login Sign Up

CVE-2024-27289

8.1 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in the pgx PostgreSQL driver for Go allows attackers to execute arbitrary SQL commands when specific conditions are met. It affects applications using pgx with the non-default simple protocol and specific placeholder patterns. The vulnerability requires user-controlled input in specific parameter positions.

💻 Affected Systems

Products:
  • jackc/pgx
Versions: All versions prior to 4.18.2
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using non-default simple protocol with specific placeholder patterns: minus sign immediately before numeric placeholder, followed by string placeholder on same line, both user-controlled.

📦 What is this software?

Pgx by Pgx Project

View all CVEs affecting Pgx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including data theft, modification, deletion, or potential remote code execution via database functions.

🟠

Likely Case

Data exfiltration, privilege escalation within the database, or data manipulation.

🟢

If Mitigated

Limited impact due to proper input validation, parameterized queries, or network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires specific SQL query structure and user-controlled parameters. Public technical analysis available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.18.2

Vendor Advisory: https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p

Restart Required: Yes

Instructions:

1. Update pgx dependency to v4.18.2 or later. 2. Update go.mod: replace github.com/jackc/pgx/v4 v4.x.x => v4.18.2. 3. Run 'go mod tidy'. 4. Rebuild and redeploy application. 5. Restart services.

🔧 Temporary Workarounds

Disable Simple Protocol

all

Use default extended protocol instead of simple protocol

Set simpleProtocol: false in pgx connection configuration

Avoid Minus Before Placeholder

all

Ensure minus signs are not placed directly before numeric placeholders

Review and modify SQL queries to avoid pattern: -$1 $2

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user-controlled parameters
  • Use network segmentation to isolate database servers and limit attack surface

🔍 How to Verify

Check if Vulnerable:

Check go.mod or go.sum for pgx version <4.18.2 and review code for simple protocol usage with vulnerable placeholder patterns.

Check Version:

grep 'jackc/pgx/v4' go.mod

Verify Fix Applied:

Confirm pgx version is 4.18.2+ in go.mod and verify application functions correctly after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL query patterns with minus signs before placeholders
  • Database error logs showing SQL syntax errors from manipulated queries

Network Indicators:

  • Unusual database query patterns from application servers
  • Increased database error rates

SIEM Query:

source="database_logs" AND ("syntax error" OR "unexpected token" OR "-$")

📊 Metadata

CVE ID: CVE-2024-27289
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 6, 2024
Last Updated: December 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27289, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)