External risk intelligence

Attacker can steal data or control systems using a large PostgreSQL query

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2024-27304

A critical flaw in the pgx PostgreSQL driver for Go could let attackers steal or change your data by sending a massive, specially crafted database command. Update your Go applications using pgx immediately.

2Halo Surface Signal

SQL Injection

Jackc Pgproto3

before 2.3.3before 4.18.25.0.0 to before 5.5.4

External exposure likelihood

Halo Surface Signal score for CVE-2024-27304

The pgx database driver is an internal backend library for Go applications communicating with PostgreSQL. While the parent Go application can be internet-facing, triggering this vulnerability requires sending a payload exceeding 4 GB. This is typically blocked by default web server or proxy request limits, making internet exposure uncommon and requiring an unusual application configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows an attacker to inject malicious SQL by sending an unusually large query or bind message to applications using the pgx PostgreSQL driver. The driver miscalculates the size of messages larger than 4 GB, causing it to split the attacker's message into multiple smaller messages, bypassing intended security checks. This could allow unauthorized access to or modification of sensitive data.

  • Potential for data compromise.
  • Affects applications using the pgx Go driver.
  • Requires a very large message to trigger.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by crafting a malformed, exceptionally large SQL query or bind message intended for a Go application using the vulnerable pgx PostgreSQL driver. The integer overflow allows this large message to be split into smaller ones, bypassing size restrictions and potentially leading to SQL injection.

  • Network access required.
  • Target: Go applications using pgx.
  • Large message bypasses size limits.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a low immediate threat because it requires an attacker to craft a single SQL query or bind message exceeding 4 GB. Such large messages are often blocked by network infrastructure like web servers or proxies, and triggering this requires specific application configurations that are uncommon, making direct internet exploitation unlikely.

  • No known exploit in the wild.
  • Not on the KEV catalog.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching affected pgx and pgproto3 Go libraries to versions v4.18.2, v5.5.4, or newer to address a critical SQL injection vulnerability caused by an integer overflow. If immediate patching is not feasible, implement strict input validation to reject user-supplied messages exceeding 4 GB to prevent triggering the overflow condition.

  • Update pgx to v4.18.2 or v5.5.4.
  • Validate and reject large query messages.
  • Monitor for unusually large query sizes.

Frequently asked questions

What is pgx and its purpose in Go applications?

pgx is a programming toolkit and driver written in Go for interacting with PostgreSQL databases. It enables Go applications to execute queries, retrieve data, and manage database connections efficiently.

How does CVE-2024-27304 facilitate SQL injection attacks?

This vulnerability combines CWE-89 SQL injection and CWE-190 integer overflow. When a Go application uses a vulnerable pgx version and sends a PostgreSQL message larger than 4 GB, an integer overflow occurs. This causes the driver to improperly fragment the large message into smaller ones, which an attacker can then manipulate to inject malicious SQL code.

What specific weaknesses are identified in CVE-2024-27304?

The identified weaknesses are CWE-89, related to SQL injection, and CWE-190, an integer overflow vulnerability.

What is the practical impact of CVE-2024-27304 on internet-facing applications?

Exploiting this vulnerability requires sending a PostgreSQL message exceeding 4 GB. Internet-facing applications are less likely to be directly exploited because network infrastructure like web servers and proxies typically block such large requests. Exploitation is considered unlikely due to these preventative measures and the need for specific application configurations.

What are the recommended steps to mitigate the risks associated with CVE-2024-27304?

The primary recommendation is to update the pgx and pgproto3 libraries to secure versions (v4.18.2, v5.5.4, or later). As a workaround, applications can implement robust input validation to reject any user-provided messages that would exceed the 4 GB size limit for a single query or bind message.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified