PostgreSQL Driver pgx Patches SQL Injection When Simple Protocol Meets Dollar Quoting

A critical SQL injection vulnerability has been identified and patched in github.com/jackc/pgx/v5, a widely adopted PostgreSQL driver for Go applications. The flaw, tracked as GHSA-j88v-2chj-qfwx, was resolved in version 5.9.2, with users advised to upgrade from the affected v5.9.0 release. The vulnerability carries significant potential impact, though the specific conditions required for exploitation narrow its practical risk profile.

The injection occurs when four conditions align simultaneously: the non-default simple protocol is in use, a dollar-quoted string literal appears in the SQL query, that string literal contains text that would be interpreted as a placeholder outside the string context, and the attacker exercises control over the placeholder value. A proof-of-concept demonstration shows how a malicious input such as `$tag$; drop table canary; --` could trigger unintended SQL behavior under these precise circumstances. Maintainers explicitly note this scenario is unlikely to occur outside of deliberately constructed test cases.

The patch is available immediately in v5.9.2, with no workarounds recommended beyond avoiding the simple protocol configuration. Projects relying on pgx/v5 for PostgreSQL connectivity should verify their dependency versions and assess whether simple protocol mode is in use within their query execution paths. The narrowness of the attack vector suggests widespread exploitation is unlikely, but the high severity classification warrants prioritized patching in security-sensitive environments.