CVE-2024-44906
Description
uptrace pgdriver v1.2.1 was discovered to contain a SQL injection vulnerability via the appendArg function in /pgdriver/format.go. The maintainer has stated that the issue is fixed in v1.2.15.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-44906 is a SQL injection vulnerability in uptrace pgdriver v1.2.1, caused by improper handling of negative numbers in the appendArg function, fixed in v1.2.15.
Vulnerability
Details
CVE-2024-44906 is a SQL injection vulnerability in uptrace pgdriver version 1.2.1, a PostgreSQL driver used by the Bun ORM for Go. The flaw resides in the appendArg function within /pgdriver/format.go and occurs when the driver inserts negative numeric parameters into a query string without proper escaping. Specifically, a negative number like -1 can be interpreted as part of a SQL comment (--) when concatenated into a query, breaking the intended syntax and allowing an attacker to inject arbitrary SQL statements [1][2].
Exploitation
The vulnerability can be exploited when the driver runs in "simple query" mode, which is required for compatibility with tools such as older versions of PgBouncer. In this mode, parameters are interpolated directly into the query string rather than being sent separately. An attacker who can control a numeric parameter (e.g., through user input mapped to a numeric column) can craft a negative value that, when concatenated, forms a line comment (--) that removes the rest of the query, potentially leading to SQL injection. No special privileges or network position beyond the ability to supply parameters to a vulnerable query is required [2].
Impact
Successful exploitation could allow an attacker to execute arbitrary SQL commands on the PostgreSQL database. This could result in unauthorized reading or modification of data, privilege escalation, or potentially remote code execution depending on the database configuration. The vulnerability is a classic SQL injection but is subtle because it leverages numeric input rather than string input, which is often assumed safe from such attacks [2][3].
Mitigation
The issue has been fixed in pgdriver version 1.2.15, as confirmed by the maintainer. The fix involves adding a mandatory space before negative numbers to prevent them from being interpreted as part of a comment. Users should upgrade their github.com/uptrace/bun dependency to at least version 1.2.15 to apply the patch [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/uptrace/bun/driver/pgdriverGo | < 1.2.15 | 1.2.15 |
Affected products
12- uptrace/pgdriverdescription
- osv-coords10 versionspkg:apk/chainguard/kyverno-policy-reporterpkg:apk/chainguard/kyverno-policy-reporter-compatpkg:apk/chainguard/kyverno-policy-reporter-fipspkg:apk/chainguard/kyverno-policy-reporter-fips-compatpkg:apk/wolfi/kyverno-policy-reporterpkg:apk/wolfi/kyverno-policy-reporter-compatpkg:golang/github.com/uptrace/bun/driver/pgdriverpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 3.5.0-r1+ 9 more
- (no CPE)range: < 3.5.0-r1
- (no CPE)range: < 3.5.0-r1
- (no CPE)range: < 3.5.0-r1
- (no CPE)range: < 3.5.0-r1
- (no CPE)range: < 3.5.0-r1
- (no CPE)range: < 3.5.0-r1
- (no CPE)range: < 1.2.15
- (no CPE)range: < 0.0.20250814T182633-150000.1.98.1
- (no CPE)range: < 0.0.20250730T213748-1.1
- (no CPE)range: < 0.0.20250814T182633-150000.1.98.1
Patches
18067a8f13f8dfix(pgdriver): add mandatory space before negative numbers to resolve CVE-2024-34359
2 files changed · +33 −0
driver/pgdriver/format.go+10 −0 modified@@ -66,6 +66,11 @@ func appendArg(b []byte, v interface{}) ([]byte, error) { case nil: return append(b, "NULL"...), nil case int64: + // To avoid accidental comments which can lead to SQL injection, put a space before + // negative numbers immediately following a minus sign. + if v < 0 && len(b) > 0 && b[len(b)-1] == '-' { + b = append(b, ' ') + } return strconv.AppendInt(b, v, 10), nil case float64: switch { @@ -76,6 +81,11 @@ func appendArg(b []byte, v interface{}) ([]byte, error) { case math.IsInf(v, -1): return append(b, "'-Infinity'"...), nil default: + // To avoid accidental comments which can lead to SQL injection, put a space before + // negative numbers immediately following a minus sign. + if v < 0 && len(b) > 0 && b[len(b)-1] == '-' { + b = append(b, ' ') + } return strconv.AppendFloat(b, v, 'f', -1, 64), nil } case bool:
driver/pgdriver/format_test.go+23 −0 modified@@ -35,6 +35,29 @@ func TestFormatQuery(t *testing.T) { args: []interface{}{nil, "", []byte(nil), time.Time{}}, wanted: "select NULL,'',NULL,NULL", }, + { + query: "select 1-$1, 1.0-$2, 1.0-$3", + args: []interface{}{int64(-1), float64(-1.5), math.Inf(-1)}, + wanted: "select 1- -1, 1.0- -1.5, 1.0-'-Infinity'", + }, + { + query: "select 1+$1, 1.0+$2", + args: []interface{}{int64(-1), float64(-1.5)}, + wanted: "select 1+-1, 1.0+-1.5", + }, + { + query: "select 1-$1, $2", + args: []interface{}{int64(-1), "foo\n;\nSELECT * FROM passwords;--"}, + // Without a space before the negative number, the first line ends in a comment + wanted: `select 1- -1, 'foo +; +SELECT * FROM passwords;--'`, + }, + { + query: "$1", + args: []interface{}{int64(-1)}, + wanted: "-1", + }, } for _, test := range tests {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-h4h6-vccr-44h2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-44906ghsaADVISORY
- github.com/uptrace/bun/blob/1573ae7c2fffad1a7f72fd2d205e924b2fd4043b/driver/pgdriver/format.goghsaWEB
- github.com/uptrace/bun/blob/v1.2.15/CHANGELOG.mdghsaWEB
- github.com/uptrace/bun/commit/8067a8f13f8d22fb57b76d6800f7aefc12b044cdghsaWEB
- github.com/uptrace/bun/issues/1224ghsaWEB
- github.com/uptrace/bun/tree/master/driver/pgdriverghsaWEB
- media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn%27t%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdfghsaWEB
- www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flawghsaWEB
- www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/mitre
News mentions
0No linked articles in our index yet.