Query smuggling in ch-go library
Description
When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Query smuggling vulnerability in ClickHouse ch-go library allows an attacker to inject a second query via malicious external data.
CVE-2025-1386 is a query smuggling vulnerability in the ch-go library, a low-level Go client for ClickHouse. Under specific conditions, when a query includes a large, uncompressed malicious external data block, an attacker can inject a second query packet into the same connection stream [2][3].
Exploitation requires the attacker to control external data supplied to a query, such as in an INSERT or SELECT with external data. The malicious data is crafted to be large and uncompressed, allowing the attacker to smuggle an additional query packet that the server processes as a separate query [3]. No authentication bypass is needed; the attacker simply controls the data sent with a legitimate query.
Successful exploitation allows the attacker to execute arbitrary SQL queries on the ClickHouse server, potentially leading to data exfiltration, modification, or denial of service. The attack is performed within the context of the existing connection, so the attacker gains the privileges of the user executing the original query.
The vulnerability has been patched in ch-go version 0.65.0 [4]. Users should upgrade immediately. There is no known workaround; using compressed external data or limiting external data size may reduce risk but not eliminate it [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ClickHouse/ch-goGo | < 0.65.0 | 0.65.0 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/telegraf-1.33pkg:apk/chainguard/telegraf-1.34pkg:apk/chainguard/teleportpkg:apk/wolfi/telegraf-1.33pkg:apk/wolfi/telegraf-1.34pkg:apk/wolfi/teleportpkg:golang/github.com/clickhouse/ch-gopkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0+ 7 more
- (no CPE)range: < 0
- (no CPE)range: < 1.34.2-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.34.2-r0
- (no CPE)range: < 0
- (no CPE)range: < 0.65.0
- (no CPE)range: < 0.0.20250422T181640-1.1
- ch-go/ch-gov5Range: 0
Patches
10e835663df32Merge pull request #1041 from ClickHouse/fix_potential_overflow
2 files changed · +8 −1
compress/writer.go+5 −1 modified@@ -56,8 +56,12 @@ func (w *Writer) Compress(buf []byte) error { n = copy(w.Data[headerSize:], buf) } - w.Data = w.Data[:n+headerSize] + // security: https://github.com/ClickHouse/ch-go/pull/1041 + if uint64(n)+uint64(compressHeaderSize) > math.MaxUint32 { + return errors.New("compressed size overflows uint32") + } + w.Data = w.Data[:n+headerSize] binary.LittleEndian.PutUint32(w.Data[hRawSize:], uint32(n+compressHeaderSize)) binary.LittleEndian.PutUint32(w.Data[hDataSize:], uint32(len(buf))) h := city.CH128(w.Data[hMethod:])
.gitignore+3 −0 modified@@ -13,3 +13,6 @@ # Dependency directories (remove the comment below to include it) # vendor/ + +# Editors +.idea/
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.