9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-27304

CVE-2024-27304: pgx SQL Injection via Protocol Message Size Overflow

Impact

SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Patches

The problem is resolved in v4.18.2 and v5.5.4.

Workarounds

Reject user input large enough to cause a single query or bind message to exceed 4 GB in size.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-27304

CVE-2024-27304:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/jackc/pgx	go	< 4.18.2	4.18.2
github.com/jackc/pgx	go	>= 5.0.0, < 5.5.4	5.5.4
github.com/jackc/pgx/v4	go	< 4.18.2	4.18.2
github.com/jackc/pgx/v5	go	>= 5.0.0, < 5.5.4	5.5.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper message size validation in protocol message encoding functions. The patches added size checks (e.g., len(ParameterFormatCodes) > math.MaxUint16) and error handling in Encode methods. Functions like Bind.Encode and Query.Encode in pgproto3 were modified to include these validations, indicating they previously lacked proper size checks. These functions construct protocol messages where miscalculations due to large inputs could lead to integer overflows, causing message fragmentation under attacker control - the core of CVE-2024-27304.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-27304: pgx SQL Injection via Protocol Message Size Overflow

Impact

Patches

Workarounds

CVE-2024-27304:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-27304: pgx SQL Injection via Protocol Message Size Overflow

Impact

Patches

Workarounds

9.8

9.8

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI