CVE-2024-27304 – This CVE describes an SQL injection vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-27304?

CVE-2024-27304 has a CVSS score of 9.8 (CRITICAL). This CVE describes an SQL injection vulnerability in the pgx PostgreSQL driver for Go. An integer overflow when processing extremely large queries (over 4GB) allows attackers to split malicious SQL into multiple controlled messages. All applications using vulnerable versions of pgx are affected.

📋 TL;DR

This CVE describes an SQL injection vulnerability in the pgx PostgreSQL driver for Go. An integer overflow when processing extremely large queries (over 4GB) allows attackers to split malicious SQL into multiple controlled messages. All applications using vulnerable versions of pgx are affected.

💻 Affected Systems

Products:

pgx PostgreSQL driver for Go

Versions: All versions before v4.18.2 and v5.5.4

Operating Systems: All operating systems running Go applications with pgx

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that process user-controlled queries or bind messages.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including data theft, modification, deletion, and potential remote code execution on the database server.

🟠

Likely Case

Data exfiltration, privilege escalation, and unauthorized database modifications through SQL injection.

🟢

If Mitigated

Limited impact with proper input validation and query size restrictions in place.

🌐 Internet-Facing: HIGH - Web applications using pgx with user-controlled queries are directly exposed.

🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires ability to send extremely large queries (4GB+), which may be challenging in many real-world scenarios.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.18.2 or v5.5.4

Vendor Advisory: https://github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8

Restart Required: Yes

Instructions:

1. Update pgx dependency to v4.18.2+ (for v4) or v5.5.4+ (for v5). 2. Run 'go mod tidy' to update go.mod. 3. Rebuild and redeploy your application. 4. Restart the application service.

🔧 Temporary Workarounds

Query Size Limitation

all

Implement input validation to reject queries or bind messages exceeding 4GB in size.

// Go code example: if len(query) > 4294967296 { return error }

🧯 If You Can't Patch

Implement strict input validation to reject any user input that could result in queries approaching 4GB size
Deploy WAF rules to block SQL injection attempts and monitor for unusually large database queries

🔍 How to Verify

Check if Vulnerable:

Check go.mod or go.sum for pgx version: grep 'github.com/jackc/pgx' go.mod

Check Version:

grep 'github.com/jackc/pgx' go.mod | grep -E 'v4\.(1[0-7]|18\.[0-1])|v5\.([0-4]|5\.[0-3])'

Verify Fix Applied:

Verify pgx version is v4.18.2+ or v5.5.4+ in go.mod and that the application builds successfully

📡 Detection & Monitoring

Log Indicators:

Unusually large query sizes (>1GB) in application logs
Multiple rapid database connections from single source
SQL syntax errors from malformed queries

Network Indicators:

Large payloads (>4GB) sent to PostgreSQL port 5432
Unusual query patterns in database traffic

SIEM Query:

source="application_logs" AND ("query size" > 1073741824 OR "SQL error" OR "pgx")

📊 Metadata

CVE ID: CVE-2024-27304

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: March 6, 2024

Last Updated: December 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27304, you might also want to check these: