Github.Com Jackc Pgproto3 V2 vulnerabilities

CVE-2026-4427 [HIGH] CWE-129 Duplicate Advisory: pgproto3: Negative field length panics in DataRow.Decode Duplicate Advisory: pgproto3: Negative field length panics in DataRow.Decode ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jqcq-xjh3-6g23. This link is maintained to preserve external references. ## Original Description A flaw was found in pgproto3. A malicious or compromised PostgreSQL server can exploit this by sending a DataRow message with a

CVE-2026-32286 [HIGH] CWE-129 Denial of service in github.com/jackc/pgproto3/v2 Denial of service in github.com/jackc/pgproto3/v2 The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

CVE-2024-27304 [HIGH] pgproto3 SQL Injection via Protocol Message Size Overflow pgproto3 SQL Injection via Protocol Message Size Overflow ### Impact SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. ### Patches The problem is resolved in v2.3.3 ### Workarounds Reject user input large enough to