Skip to content

fix(deps): update module github.com/jackc/pgx/v5 to v5.9.2 [security]#24

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-jackc-pgx-v5-vulnerability
Open

fix(deps): update module github.com/jackc/pgx/v5 to v5.9.2 [security]#24
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-jackc-pgx-v5-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Apr 19, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/jackc/pgx/v5 v5.7.6v5.9.2 age confidence

Memory-safety vulnerability in github.com/jackc/pgx/v5.

CVE-2026-33816 / GHSA-9jj7-4m8r-rfcm

More information

Details

Memory-safety vulnerability in github.com/jackc/pgx/v5.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pgx: SQL Injection via placeholder confusion with dollar quoted string literals

CVE-2026-41889 / GHSA-j88v-2chj-qfwx

More information

Details

Impact

SQL Injection can occur when:

  1. The non-default simple protocol is used.
  2. A dollar quoted string literal is used in the SQL query.
  3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
  4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Patches

The problem is resolved in v5.9.2.

Workarounds

Do not use the simple protocol to execute queries matching all the above conditions.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

jackc/pgx (github.com/jackc/pgx/v5)

v5.9.2

Compare Source

v5.9.1

Compare Source

v5.9.0

Compare Source

v5.8.0

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title fix(deps): update module github.com/jackc/pgx/v5 to v5.9.0 [security] fix(deps): update module github.com/jackc/pgx/v5 to v5.9.2 [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-jackc-pgx-v5-vulnerability branch from dced907 to 7a6c756 Compare April 30, 2026 02:32
@renovate renovate Bot changed the title fix(deps): update module github.com/jackc/pgx/v5 to v5.9.2 [security] fix(deps): update module github.com/jackc/pgx/v5 to v5.9.2 [security] - autoclosed May 16, 2026
@renovate renovate Bot closed this May 16, 2026
@renovate renovate Bot deleted the renovate/go-github.com-jackc-pgx-v5-vulnerability branch May 16, 2026 07:58
@renovate renovate Bot changed the title fix(deps): update module github.com/jackc/pgx/v5 to v5.9.2 [security] - autoclosed fix(deps): update module github.com/jackc/pgx/v5 to v5.9.2 [security] May 17, 2026
@renovate renovate Bot reopened this May 17, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-jackc-pgx-v5-vulnerability branch 2 times, most recently from 7a6c756 to 345bfad Compare May 17, 2026 06:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants