CVE-2024-44905
Description
go-pg pg v10.13.0 was discovered to contain a SQL injection vulnerability via the component /types/append_value.go.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A SQL injection vulnerability in go-pg pg v10.13.0 allows negative numeric parameters to introduce line comments, altering query semantics even with prepared statements.
Root
Cause A SQL injection vulnerability exists in go-pg pg v10.13.0 within the /types/append_value.go component. The flaw arises when handling negative numeric parameters: the library does not properly escape or wrap them, allowing a leading dash to combine with user-controlled data to form a double dash (--) sequence. This sequence introduces a line comment in SQL, effectively truncating the query and enabling injection [1][2].
Exploitation
Exploitation requires the library to operate in simple query mode, which is necessary when connecting through connection poolers like PgBouncer. An attacker who can control a numeric parameter value (e.g., via a web application) can supply a negative number crafted to produce a -- comment, thereby altering the query syntax. No special privileges or authentication bypass is required; the attacker only needs to influence a parameter that is interpolated into a SQL statement [1].
Impact
Successful exploitation allows an attacker to modify the intended SQL query logic, potentially executing arbitrary SQL commands. This can lead to data exfiltration, unauthorized data modification, or other database compromises, depending on the permissions of the database user [1][2].
Mitigation
The vulnerability is fixed in version v10.15.0 [3]. The go-pg library is in maintenance mode and only critical issues are addressed; users are advised to update to the patched version or consider migrating to the Bun library for continued support [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/go-pg/pg/v10Go | < 10.15.0 | 10.15.0 |
github.com/go-pg/pg/v9Go | <= 9.2.1 | — |
github.com/go-pg/pgGo | <= 8.0.7 | — |
Affected products
9- go-pg/pgdescription
- osv-coords7 versionspkg:apk/chainguard/nucleipkg:apk/wolfi/nucleipkg:golang/github.com/go-pg/pgpkg:golang/github.com/go-pg/pg/v10pkg:golang/github.com/go-pg/pg/v9pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 3.5.1-r0+ 6 more
- (no CPE)range: < 3.5.1-r0
- (no CPE)range: < 3.5.1-r0
- (no CPE)range: <= 8.0.7
- (no CPE)range: < 10.15.0
- (no CPE)range: <= 9.2.1
- (no CPE)range: < 0.0.20251230T014957-150000.1.134.1
- (no CPE)range: < 0.0.20250730T213748-1.1
Patches
1eff50a43724efix: add mandatory space before negative numbers to resolve CVE-2024-44905 (#2029)
3 files changed · +48 −5
orm/format_test.go+24 −0 modified@@ -146,6 +146,30 @@ var formatTests = []formatTest{ paramsMap: paramsMap{"string": "my_value"}, wanted: "?string", }, + + { + q: "select 1-?0, 1.0-?1, 1.0-?2", + params: params{int64(-1), float64(-1.5), math.Inf(-1)}, + wanted: "select 1- -1, 1.0- -1.5, 1.0-'-Infinity'", + }, + { + q: "select 1+?0, 1.0+?1", + params: params{int64(-1), float64(-1.5)}, + wanted: "select 1+-1, 1.0+-1.5", + }, + { + q: "select 1-?0, ?1", + params: params{int64(-1), "foo\n;\nSELECT * FROM passwords;--"}, + // Without a space before the negative number, the first line ends in a comment + wanted: `select 1- -1, 'foo +; +SELECT * FROM passwords;--'`, + }, + { + q: "?0", + params: params{int64(-1)}, + wanted: "-1", + }, } func TestFormatQuery(t *testing.T) {
types/append.go+22 −3 modified@@ -17,11 +17,11 @@ func Append(b []byte, v interface{}, flags int) []byte { case bool: return appendBool(b, v) case int32: - return strconv.AppendInt(b, int64(v), 10) + return appendInt(b, int64(v)) case int64: - return strconv.AppendInt(b, v, 10) + return appendInt(b, v) case int: - return strconv.AppendInt(b, int64(v), 10) + return appendInt(b, int64(v)) case float32: return appendFloat(b, float64(v), flags, 32) case float64: @@ -60,6 +60,15 @@ func appendBool(dst []byte, v bool) []byte { return append(dst, "FALSE"...) } +func appendInt(dst []byte, v int64) []byte { + // To avoid accidental comments which can lead to SQL injection, put a space before + // negative numbers immediately following a minus sign. + if v < 0 && len(dst) > 0 && dst[len(dst)-1] == '-' { + dst = append(dst, ' ') + } + return strconv.AppendInt(dst, v, 10) +} + func appendFloat(dst []byte, v float64, flags int, bitSize int) []byte { if hasFlag(flags, arrayFlag) { return appendFloat2(dst, v, flags) @@ -80,8 +89,18 @@ func appendFloat(dst []byte, v float64, flags int, bitSize int) []byte { if hasFlag(flags, quoteFlag) { return append(dst, "'-Infinity'"...) } + // To avoid accidental comments which can lead to SQL injection, put a space before + // negative numbers immediately following a minus sign. + if v < 0 && len(dst) > 0 && dst[len(dst)-1] == '-' { + dst = append(dst, ' ') + } return append(dst, "-Infinity"...) default: + // To avoid accidental comments which can lead to SQL injection, put a space before + // negative numbers immediately following a minus sign. + if v < 0 && len(dst) > 0 && dst[len(dst)-1] == '-' { + dst = append(dst, ' ') + } return strconv.AppendFloat(dst, v, 'f', -1, bitSize) } }
types/append_value.go+2 −2 modified@@ -24,7 +24,7 @@ type AppenderFunc func([]byte, reflect.Value, int) []byte var appenders []AppenderFunc -//nolint +// nolint func init() { appenders = []AppenderFunc{ reflect.Bool: appendBoolValue, @@ -148,7 +148,7 @@ func appendBoolValue(b []byte, v reflect.Value, _ int) []byte { } func appendIntValue(b []byte, v reflect.Value, _ int) []byte { - return strconv.AppendInt(b, v.Int(), 10) + return appendInt(b, v.Int()) } func appendUintValue(b []byte, v reflect.Value, _ int) []byte {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-6xp3-p59p-q4fjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-44905ghsaADVISORY
- github.com/go-pg/pg/blob/30e7053c6cacdd44d06cf2b92183b49188b7c922/types/append_value.goghsaWEB
- github.com/go-pg/pg/commit/eff50a43724e52347559687a6945c116afbb41c1ghsaWEB
- github.com/go-pg/pg/releases/tag/v10.15.0ghsaWEB
- media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn%27t%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdfghsaWEB
- www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flawghsaWEB
- www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/mitre
News mentions
0No linked articles in our index yet.