Skip to content

fix(deps): update module github.com/jackc/pgx/v5 to v5.9.2 [security]#30

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-jackc-pgx-v5-vulnerability
Open

fix(deps): update module github.com/jackc/pgx/v5 to v5.9.2 [security]#30
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-jackc-pgx-v5-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 16, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
github.com/jackc/pgx/v5 v5.7.6v5.9.2 age confidence

Memory-safety vulnerability in github.com/jackc/pgx/v5.

CVE-2026-33816 / GHSA-9jj7-4m8r-rfcm

More information

Details

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


pgx: SQL Injection via placeholder confusion with dollar quoted string literals

CVE-2026-41889 / GHSA-j88v-2chj-qfwx

More information

Details

Impact

SQL Injection can occur when:

  1. The non-default simple protocol is used.
  2. A dollar quoted string literal is used in the SQL query.
  3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
  4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Patches

The problem is resolved in v5.9.2.

Workarounds

Do not use the simple protocol to execute queries matching all the above conditions.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


pgx contains memory-safety vulnerability

CVE-2026-33815 / GHSA-xgrm-4fwx-7qm8

More information

Details

pgx is a pure Go driver and toolkit for PostgreSQL. pgx prior to v5.9.0 contains a memory-safety vulnerability.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

jackc/pgx (github.com/jackc/pgx/v5)

v5.9.2

Compare Source

v5.9.1

Compare Source

v5.9.0

Compare Source

v5.8.0

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

0 participants