{"id":"GO-2024-2605","summary":"SQL injection in github.com/jackc/pgx/v4","details":"SQL injection is possible when the database uses the non-default simple protocol, a minus sign directly precedes a numeric placeholder followed by a string placeholder on the same line, and both parameter values are user-controlled.","aliases":["CVE-2024-27289","GHSA-m7wr-2xf7-cm9p"],"modified":"2026-03-17T04:49:06.921069Z","published":"2024-03-11T20:08:05Z","related":["CGA-6fr5-f876-7rfw"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-2605"},"references":[{"type":"ADVISORY","url":"https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p"},{"type":"FIX","url":"https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df"}],"affected":[{"package":{"name":"github.com/jackc/pgx","ecosystem":"Go","purl":"pkg:golang/github.com/jackc/pgx"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Query.Sanitize","SanitizeSQL"],"path":"github.com/jackc/pgx/internal/sanitize"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2605.json"}},{"package":{"name":"github.com/jackc/pgx/v4","ecosystem":"Go","purl":"pkg:golang/github.com/jackc/pgx/v4"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"4.18.2"}]}],"ecosystem_specific":{"imports":[{"symbols":["Query.Sanitize","SanitizeSQL"],"path":"github.com/jackc/pgx/v4/internal/sanitize"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2605.json"}}],"schema_version":"1.7.5","credits":[{"name":"paul-gerste-sonarsource"}]}