GHSA-j88v-2chj-qfwx: pgx: SQL Injection via placeholder confusion with dollar quoted string literals

April 22, 2026

SQL Injection can occur when:

The non-default simple protocol is used.
A dollar quoted string literal is used in the SQL query.
That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

References

github.com/advisories/GHSA-j88v-2chj-qfwx
github.com/jackc/pgx
github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da
github.com/jackc/pgx/releases/tag/v5.9.2
github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx

Code Behaviors & Features

Detect and mitigate GHSA-j88v-2chj-qfwx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →