Go Database/SQL Rows.Scan Race Condition Vulnerability

A race condition vulnerability has been identified in the Go programming language's database/sql package, specifically in versions prior to 1.23.12 and between 1.24.0 and 1.24.6. This vulnerability arises when a query is cancelled—by terminating the context used in the query methods—while the Scan method of the resulting Rows is being executed. Such a cancellation can lead to unexpected outcomes, especially if other queries are running concurrently. The interference may cause the Scan method to return incorrect results from a different query or generate an error instead.

Impact

Exploitation of this vulnerability can cause the Rows.Scan method to return erroneous data or trigger an error, disrupting the expected flow of data processing in applications that rely on this functionality.

Reproduction

To reproduce this vulnerability, initiate a query using the database/sql package and pass a context that can be cancelled. While the query is being processed, cancel the context. If there are other queries running in parallel, the cancellation can interfere with the data being scanned, leading to unexpected results or errors. This issue has been observed with the lib/pq driver, where context cancellation created a data race that was not properly managed, allowing for such interference between queries.

Remediation

Users can upgrade to Go versions 1.24.6 or 1.23.12, both of which include the necessary fix. After updating, verify that the application behaves as expected without any data race issues.