Critical severity9.8NVD Advisory· Published Mar 6, 2024· Updated May 21, 2026
CVE-2024-27304
CVE-2024-27304
Description
pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/jackc/pgxGo | < 4.18.2 | 4.18.2 |
github.com/jackc/pgxGo | >= 5.0.0, < 5.5.4 | 5.5.4 |
github.com/jackc/pgx/v4Go | < 4.18.2 | 4.18.2 |
github.com/jackc/pgx/v5Go | >= 5.0.0, < 5.5.4 | 5.5.4 |
Affected products
179- osv-coords176 versionspkg:apk/chainguard/amasspkg:apk/chainguard/argo-workflow-clipkg:apk/chainguard/argo-workflow-cli-fipspkg:apk/chainguard/argo-workflow-controllerpkg:apk/chainguard/argo-workflow-controller-compatpkg:apk/chainguard/argo-workflow-controller-compat-fipspkg:apk/chainguard/argo-workflow-controller-fipspkg:apk/chainguard/argo-workflow-executorpkg:apk/chainguard/argo-workflow-executor-compatpkg:apk/chainguard/argo-workflow-executor-compat-fipspkg:apk/chainguard/argo-workflow-executor-fipspkg:apk/chainguard/argo-workflowspkg:apk/chainguard/argo-workflows-fipspkg:apk/chainguard/argo-workflows-known-hostspkg:apk/chainguard/argo-workflows-known-hosts-fipspkg:apk/chainguard/argo-workflows-uipkg:apk/chainguard/caddypkg:apk/chainguard/caddy-fipspkg:apk/chainguard/caddy-manpkg:apk/chainguard/caddy-srcpkg:apk/chainguard/falcosidekick-fipspkg:apk/chainguard/ferretdbpkg:apk/chainguard/k3spkg:apk/chainguard/k3s-embeddedpkg:apk/chainguard/k3s-imagespkg:apk/chainguard/k3s-multicallpkg:apk/chainguard/k3s-staticpkg:apk/chainguard/kedapkg:apk/chainguard/keda-2.11pkg:apk/chainguard/keda-2.11-adapterpkg:apk/chainguard/keda-2.11-admission-webhookspkg:apk/chainguard/keda-2.11-compatpkg:apk/chainguard/keda-2.12pkg:apk/chainguard/keda-2.12-adapterpkg:apk/chainguard/keda-2.12-admission-webhookspkg:apk/chainguard/keda-2.12-compatpkg:apk/chainguard/keda-2.13pkg:apk/chainguard/keda-2.13-adapterpkg:apk/chainguard/keda-2.13-admission-webhookspkg:apk/chainguard/keda-2.13-compatpkg:apk/chainguard/keda-adapterpkg:apk/chainguard/keda-adapter-2.11pkg:apk/chainguard/keda-adapter-fipspkg:apk/chainguard/keda-admission-webhookspkg:apk/chainguard/keda-admission-webhooks-2.11pkg:apk/chainguard/keda-admission-webhooks-fipspkg:apk/chainguard/keda-compatpkg:apk/chainguard/keda-compat-2.11pkg:apk/chainguard/keda-fipspkg:apk/chainguard/keda-metrics-apiserver-fipspkg:apk/chainguard/kinepkg:apk/chainguard/kotspkg:apk/chainguard/kots-compatpkg:apk/chainguard/kots-symlink-compatpkg:apk/chainguard/kube-benchpkg:apk/chainguard/kube-bench-configspkg:apk/chainguard/kube-bench-configs-fipspkg:apk/chainguard/kube-bench-fipspkg:apk/chainguard/spicedbpkg:apk/chainguard/spicedb-compatpkg:apk/chainguard/srcpkg:apk/chainguard/steppkg:apk/chainguard/step-capkg:apk/chainguard/tdbgpkg:apk/chainguard/tdbg-compactpkg:apk/chainguard/tdbg-compatpkg:apk/chainguard/tdbg-fipspkg:apk/chainguard/tdbg-fips-compatpkg:apk/chainguard/telegraf-1.26pkg:apk/chainguard/telegraf-1.27pkg:apk/chainguard/telegraf-1.28pkg:apk/chainguard/telegraf-1.29pkg:apk/chainguard/telegraf-1.30pkg:apk/chainguard/temporal-cassandra-toolpkg:apk/chainguard/temporal-cassandra-tool-compatpkg:apk/chainguard/temporal-cassandra-tool-fipspkg:apk/chainguard/temporal-cassandra-tool-fips-compatpkg:apk/chainguard/temporal-serverpkg:apk/chainguard/temporal-server-compatpkg:apk/chainguard/temporal-server-fipspkg:apk/chainguard/temporal-server-fips-compatpkg:apk/chainguard/temporal-server-oci-entrypointpkg:apk/chainguard/temporal-server-oci-entrypoint-fipspkg:apk/chainguard/temporal-server-schemapkg:apk/chainguard/temporal-server-schema-fipspkg:apk/chainguard/temporal-sql-toolpkg:apk/chainguard/temporal-sql-tool-compactpkg:apk/chainguard/temporal-sql-tool-compatpkg:apk/chainguard/temporal-sql-tool-fipspkg:apk/chainguard/temporal-sql-tool-fips-compatpkg:apk/chainguard/trillianpkg:apk/chainguard/trillian-fipspkg:apk/chainguard/trillian-fips-logserverpkg:apk/chainguard/trillian-fips-logsignerpkg:apk/chainguard/trillian-logserverpkg:apk/chainguard/trillian-logsignerpkg:apk/chainguard/vault-1.13pkg:apk/chainguard/vault-1.13-compatpkg:apk/chainguard/vault-1.13-entrypointpkg:apk/chainguard/vault-fips-1.14pkg:apk/chainguard/wavefront-collector-for-kubernetes-1.12pkg:apk/chainguard/wavefront-collector-for-kubernetes-1.13pkg:apk/wolfi/amasspkg:apk/wolfi/argo-workflow-clipkg:apk/wolfi/argo-workflow-controllerpkg:apk/wolfi/argo-workflow-controller-compatpkg:apk/wolfi/argo-workflow-executorpkg:apk/wolfi/argo-workflow-executor-compatpkg:apk/wolfi/argo-workflowspkg:apk/wolfi/argo-workflows-known-hostspkg:apk/wolfi/argo-workflows-uipkg:apk/wolfi/caddypkg:apk/wolfi/caddy-manpkg:apk/wolfi/caddy-srcpkg:apk/wolfi/ferretdbpkg:apk/wolfi/k3spkg:apk/wolfi/k3s-embeddedpkg:apk/wolfi/k3s-imagespkg:apk/wolfi/k3s-multicallpkg:apk/wolfi/k3s-staticpkg:apk/wolfi/kedapkg:apk/wolfi/keda-2.11pkg:apk/wolfi/keda-2.11-adapterpkg:apk/wolfi/keda-2.11-admission-webhookspkg:apk/wolfi/keda-2.11-compatpkg:apk/wolfi/keda-2.12pkg:apk/wolfi/keda-2.12-adapterpkg:apk/wolfi/keda-2.12-admission-webhookspkg:apk/wolfi/keda-2.12-compatpkg:apk/wolfi/keda-2.13pkg:apk/wolfi/keda-2.13-adapterpkg:apk/wolfi/keda-2.13-admission-webhookspkg:apk/wolfi/keda-2.13-compatpkg:apk/wolfi/keda-adapterpkg:apk/wolfi/keda-adapter-2.11pkg:apk/wolfi/keda-admission-webhookspkg:apk/wolfi/keda-admission-webhooks-2.11pkg:apk/wolfi/keda-compatpkg:apk/wolfi/keda-compat-2.11pkg:apk/wolfi/kinepkg:apk/wolfi/kotspkg:apk/wolfi/kots-compatpkg:apk/wolfi/kots-symlink-compatpkg:apk/wolfi/kube-benchpkg:apk/wolfi/kube-bench-configspkg:apk/wolfi/spicedbpkg:apk/wolfi/spicedb-compatpkg:apk/wolfi/srcpkg:apk/wolfi/steppkg:apk/wolfi/step-capkg:apk/wolfi/tdbgpkg:apk/wolfi/tdbg-compactpkg:apk/wolfi/tdbg-compatpkg:apk/wolfi/telegraf-1.26pkg:apk/wolfi/telegraf-1.27pkg:apk/wolfi/telegraf-1.28pkg:apk/wolfi/telegraf-1.29pkg:apk/wolfi/telegraf-1.30pkg:apk/wolfi/temporal-cassandra-toolpkg:apk/wolfi/temporal-cassandra-tool-compatpkg:apk/wolfi/temporal-serverpkg:apk/wolfi/temporal-server-compatpkg:apk/wolfi/temporal-server-oci-entrypointpkg:apk/wolfi/temporal-server-schemapkg:apk/wolfi/temporal-sql-toolpkg:apk/wolfi/temporal-sql-tool-compactpkg:apk/wolfi/temporal-sql-tool-compatpkg:apk/wolfi/trillianpkg:apk/wolfi/trillian-logserverpkg:apk/wolfi/trillian-logsignerpkg:apk/wolfi/vault-1.13pkg:apk/wolfi/vault-1.13-compatpkg:apk/wolfi/vault-1.13-entrypointpkg:golang/github.com/jackc/pgxpkg:golang/github.com/jackc/pgx/v4pkg:golang/github.com/jackc/pgx/v5
< 4.2.0-r8+ 175 more
- (no CPE)range: < 4.2.0-r8
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r2
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 2.7.6-r1
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 2.28.0-r3
- (no CPE)range: < 1.20.1-r3
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 2.13.1-r3
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.12.1-r3
- (no CPE)range: < 2.12.1-r3
- (no CPE)range: < 2.12.1-r3
- (no CPE)range: < 2.12.1-r3
- (no CPE)range: < 2.13.1-r2
- (no CPE)range: < 2.13.1-r2
- (no CPE)range: < 2.13.1-r2
- (no CPE)range: < 2.13.1-r2
- (no CPE)range: < 2.13.1-r3
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.13.1-r4
- (no CPE)range: < 2.13.1-r3
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.13.1-r4
- (no CPE)range: < 2.13.1-r3
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.13.1-r4
- (no CPE)range: < 2.13.1-r4
- (no CPE)range: < 0.11.6-r2
- (no CPE)range: < 1.108.1-r0
- (no CPE)range: < 1.108.1-r0
- (no CPE)range: < 1.108.1-r0
- (no CPE)range: < 0.7.2-r3
- (no CPE)range: < 0.7.2-r3
- (no CPE)range: < 0.7.2-r1
- (no CPE)range: < 0.7.2-r1
- (no CPE)range: < 1.30.0-r0
- (no CPE)range: < 1.30.0-r0
- (no CPE)range: < 5.3.0-r2
- (no CPE)range: < 0.28.6-r0
- (no CPE)range: < 0.25.2-r5
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.26.3-r14
- (no CPE)range: < 1.27.4-r16
- (no CPE)range: < 1.28.5-r8
- (no CPE)range: < 1.29.5-r4
- (no CPE)range: < 1.30.0-r2
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.13.13-r2
- (no CPE)range: < 1.13.13-r2
- (no CPE)range: < 1.13.13-r2
- (no CPE)range: < 1.14.10-r0
- (no CPE)range: < 1.12.1-r9
- (no CPE)range: < 1.13.0-r9
- (no CPE)range: < 4.2.0-r8
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 3.5.5-r3
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 1.20.1-r3
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 1.29.2-r3
- (no CPE)range: < 2.13.1-r3
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.12.1-r3
- (no CPE)range: < 2.12.1-r3
- (no CPE)range: < 2.12.1-r3
- (no CPE)range: < 2.12.1-r3
- (no CPE)range: < 2.13.1-r2
- (no CPE)range: < 2.13.1-r2
- (no CPE)range: < 2.13.1-r2
- (no CPE)range: < 2.13.1-r2
- (no CPE)range: < 2.13.1-r3
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.13.1-r3
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 2.13.1-r3
- (no CPE)range: < 2.11.2-r16
- (no CPE)range: < 0.11.6-r2
- (no CPE)range: < 1.108.1-r0
- (no CPE)range: < 1.108.1-r0
- (no CPE)range: < 1.108.1-r0
- (no CPE)range: < 0.7.2-r3
- (no CPE)range: < 0.7.2-r3
- (no CPE)range: < 1.30.0-r0
- (no CPE)range: < 1.30.0-r0
- (no CPE)range: < 5.3.0-r2
- (no CPE)range: < 0.28.6-r0
- (no CPE)range: < 0.25.2-r5
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.26.3-r14
- (no CPE)range: < 1.27.4-r16
- (no CPE)range: < 1.28.5-r8
- (no CPE)range: < 1.29.5-r4
- (no CPE)range: < 1.30.0-r2
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.13.13-r2
- (no CPE)range: < 1.13.13-r2
- (no CPE)range: < 1.13.13-r2
- (no CPE)range: < 4.18.2
- (no CPE)range: < 4.18.2
- (no CPE)range: >= 5.0.0, < 5.5.4
Patches
Vulnerability mechanics
References
9- github.com/jackc/pgproto3/commit/945c2126f6db8f3bea7eeebe307c01fe92bca007nvdPatchWEB
- github.com/jackc/pgx/commit/adbb38f298c76e283ffc7c7a3f571036fea47fd4nvdPatchWEB
- github.com/jackc/pgx/commit/c543134753a0c5d22881c12404025724cb05ffd8nvdPatchWEB
- github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81dfnvdPatchWEB
- github.com/advisories/GHSA-mrww-27vc-gghvghsaADVISORY
- github.com/jackc/pgproto3/security/advisories/GHSA-7jwh-3vrq-q3m8nvdVendor AdvisoryWEB
- github.com/jackc/pgx/security/advisories/GHSA-mrww-27vc-gghvnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-27304ghsaADVISORY
- www.youtube.com/watchnvdPress/Media CoverageWEB
News mentions
0No linked articles in our index yet.