Github.Com Jackc Pgx vulnerabilities

CVE-2024-27304 [HIGH] CWE-190 pgx SQL Injection via Protocol Message Size Overflow pgx SQL Injection via Protocol Message Size Overflow ### Impact SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. ### Patches The problem is resolved in v4.18.2 and v5.5.4. ### Workarounds Reject user input large

CVE-2024-27289 [HIGH] CWE-89 pgx SQL Injection via Line Comment Creation pgx SQL Injection via Line Comment Creation ### Impact SQL injection can occur when all of the following conditions are met: 1. The non-default simple protocol is used. 2. A placeholder for a numeric value must be immediately preceded by a minus. 3. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. 4. Both parameter values must be user-controlled. e.g. Sim