pgx PostgreSQL Driver SQL Injection Vulnerability via Dollar-Quoted String Literals

A SQL injection vulnerability has been identified in the pgx PostgreSQL driver for Go, affecting versions prior to 5.9.2. The issue arises when the non-default simple protocol is used, and a dollar-quoted string literal is included in the SQL query. If the string literal contains text that could be interpreted as a placeholder outside of a string literal, and the placeholder's value is controllable by the attacker, exploitation is possible. This vulnerability has been patched in version 5.9.2.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to execute arbitrary commands or access unauthorized data. In a demonstrated proof-of-concept, the injection was used to drop a database table.

Reproduction

To reproduce this vulnerability, use pgx version 5.9.2 or earlier and the non-default simple protocol. Create a SQL query that includes a dollar-quoted string literal containing text interpreted as a placeholder. Control the placeholder's value to exploit the injection. The committed proof-of-concept test in 'query_test.go' demonstrates this exploitation by executing a SQL command that drops a table.

Remediation

Users can update to pgx version 5.9.2 or later to address this vulnerability. Instructions for downloading the latest version are available on the pgx GitHub releases page.