Platform
go
Component
github.com/jackc/pgproto3/v2
Fixed in
4.18.3
5.0.1
2.3.3
CVE-2024-27304 describes a critical SQL Injection vulnerability discovered in the github.com/jackc/pgproto3/v2 library. This flaw arises from an integer overflow when calculating message sizes, enabling attackers to manipulate message boundaries and potentially inject malicious SQL queries. The vulnerability impacts applications utilizing versions of pgproto3/v2 before 2.3.3. A patch has been released in version 2.3.3.
The core of this vulnerability lies in the ability to exploit an integer overflow within the pgproto3/v2 library, which is a core component for PostgreSQL interaction in Go applications. An attacker can craft a single, oversized message that is internally processed as multiple smaller messages. This manipulation allows them to bypass security checks and inject arbitrary SQL commands. Successful exploitation could lead to unauthorized data access, modification, or deletion within the PostgreSQL database. The potential blast radius is significant, encompassing any application relying on the vulnerable pgproto3/v2 library to interact with a PostgreSQL database, potentially exposing sensitive data and compromising the entire application’s integrity. This vulnerability shares similarities with other message size manipulation exploits where unexpected data sizes are leveraged to bypass security controls.
CVE-2024-27304 was publicly disclosed on March 14, 2024. Its severity is classified as CRITICAL with a CVSS score of 9.8. As of this writing, the vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept exploits are currently unavailable, but the critical nature of the vulnerability suggests a high probability of exploitation if a PoC is released. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
1.93% (83% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-27304 is to immediately upgrade to version 2.3.3 or later of the github.com/jackc/pgproto3/v2 library. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While not a complete solution, input validation and sanitization on the application side can help prevent oversized messages from being sent to the database. Additionally, consider implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL queries. Monitor PostgreSQL logs for unusual activity or error messages related to message sizes. After upgrading, confirm the fix by sending a large query and verifying that the message size calculation remains within expected bounds.
Update the pgx library to version 4.18.2 or higher, or to version 5.5.4 or higher. This corrects the SQL injection vulnerability caused by an integer overflow in the protocol message size. Alternatively, reject user inputs large enough to cause a single query or bind message to exceed 4 GB.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-27304 is a critical SQL Injection vulnerability in the github.com/jackc/pgproto3/v2 library, allowing attackers to inject malicious SQL through oversized messages.
You are affected if your Go application uses github.com/jackc/pgproto3/v2 versions prior to 2.3.3 and interacts with a PostgreSQL database.
Upgrade to version 2.3.3 or later of github.com/jackc/pgproto3/v2. Consider temporary workarounds like input validation if immediate upgrade is not possible.
While no public exploits are currently available, the vulnerability's critical nature suggests a high probability of exploitation if a PoC is released.
Refer to the GitHub repository for updates: https://github.com/jackc/pgproto3/releases
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.