High severityNVD Advisory· Published Mar 6, 2024· Updated Jun 12, 2025
pgx SQL Injection via Line Comment Creation
CVE-2024-27289
Description
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/jackc/pgxGo | < 4.18.2 | 4.18.2 |
github.com/jackc/pgx/v4Go | < 4.18.2 | 4.18.2 |
Affected products
1Patches
1f94eb0e2f967Always wrap arguments in parentheses in the SQL sanitizer
2 files changed · +14 −20
internal/sanitize/sanitize.go+4 −10 modified@@ -44,18 +44,8 @@ func (q *Query) Sanitize(args ...interface{}) (string, error) { str = "null" case int64: str = strconv.FormatInt(arg, 10) - // Prevent SQL injection via Line Comment Creation - // https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p - if arg < 0 { - str = "(" + str + ")" - } case float64: - // Prevent SQL injection via Line Comment Creation - // https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p str = strconv.FormatFloat(arg, 'f', -1, 64) - if arg < 0 { - str = "(" + str + ")" - } case bool: str = strconv.FormatBool(arg) case []byte: @@ -68,6 +58,10 @@ func (q *Query) Sanitize(args ...interface{}) (string, error) { return "", fmt.Errorf("invalid arg type: %T", arg) } argUse[argIdx] = true + + // Prevent SQL injection via Line Comment Creation + // https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p + str = "(" + str + ")" default: return "", fmt.Errorf("invalid Part type: %T", part) }
internal/sanitize/sanitize_test.go+10 −10 modified@@ -127,52 +127,52 @@ func TestQuerySanitize(t *testing.T) { { query: sanitize.Query{Parts: []sanitize.Part{"select 42"}}, args: []interface{}{}, - expected: `select 42`, + expected: `select (42)`, }, { query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}}, args: []interface{}{int64(42)}, - expected: `select 42`, + expected: `select (42)`, }, { query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}}, args: []interface{}{float64(1.23)}, - expected: `select 1.23`, + expected: `select (1.23)`, }, { query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}}, args: []interface{}{true}, - expected: `select true`, + expected: `select (true)`, }, { query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}}, args: []interface{}{[]byte{0, 1, 2, 3, 255}}, - expected: `select '\x00010203ff'`, + expected: `select ('\x00010203ff')`, }, { query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}}, args: []interface{}{nil}, - expected: `select null`, + expected: `select (null)`, }, { query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}}, args: []interface{}{"foobar"}, - expected: `select 'foobar'`, + expected: `select ('foobar')`, }, { query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}}, args: []interface{}{"foo'bar"}, - expected: `select 'foo''bar'`, + expected: `select ('foo''bar')`, }, { query: sanitize.Query{Parts: []sanitize.Part{"select ", 1}}, args: []interface{}{`foo\'bar`}, - expected: `select 'foo\''bar'`, + expected: `select ('foo\''bar')`, }, { query: sanitize.Query{Parts: []sanitize.Part{"insert ", 1}}, args: []interface{}{time.Date(2020, time.March, 1, 23, 59, 59, 999999999, time.UTC)}, - expected: `insert '2020-03-01 23:59:59.999999Z'`, + expected: `insert ('2020-03-01 23:59:59.999999Z')`, }, { query: sanitize.Query{Parts: []sanitize.Part{"select 1-", 1}},
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m7wr-2xf7-cm9pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27289ghsaADVISORY
- github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81dfghsax_refsource_MISCWEB
- github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9pghsax_refsource_CONFIRMWEB
- www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flawghsaWEB
News mentions
0No linked articles in our index yet.