← Back

Pgproto3

pgproto3

Vendor: Jackc • 2 CVEs

CVEs (2)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2026-32286
1Jackc
1Pgproto3
Jun 3, 2026
Mar 26, 2026
N/A· v4
7.5 HIGH· v3
N/A· v2
The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.
CVE-2024-27304
3Jackc
Pgproto3 ProjectPgx Project
4Pgproto3
Pgproto3Pgx+1 more
May 21, 2026
Mar 6, 2024
N/A· v4
9.8 CRITICAL· v3
N/A· v2
pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one...Show more
pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.Show less