Listen to this Post
The CVE-2025-54236 vulnerability in the pgx PostgreSQL driver for Go arises from a confusion between dollar-quoted string literals and placeholders. This flaw can lead to SQL injection when several conditions are met.
1. The application must use the non-default simple query protocol (QueryExecModeSimpleProtocol) instead of the preferred extended protocol。
2. The SQL query must contain a dollar-quoted string literal (e.g., $tag$...$tag$)。
3. Inside this dollar-quoted string literal, the raw text must include a sequence that looks like a placeholder, such as $1。
4. The PostgreSQL driver processes the SQL string and attempts to replace this internal `$1` with a user-supplied value.
5. Critically, the value of that placeholder is controlled by an attacker.
6. For example, an attacker can set the value to a malicious SQL payload like $tag$; DROP TABLE canary; --。
7. When the driver parses the query, the `$tag$` inside the payload prematurely terminates the string context.
8. The driver then interprets the following malicious SQL as part of the main command, not as data.
9. The injection occurs because the driver fails to properly distinguish between a placeholder for a parameter and placeholder-like text inside a dollar-quoted string.
10. This allows an attacker to break out of the intended string context and execute arbitrary SQL commands.
11. The attack vector is the manipulation of a single parameter within the simple protocol.
12. Postgres’s `simpleQuery` function, which processes these queries, receives the fully assembled SQL string.
13. The vulnerability is due to an insufficient state machine or parser that cannot correctly identify quote contexts.
14. The issue is not exploitable when using the extended protocol with prepared statements.
15. In the extended protocol, parameters are sent separately from the SQL string, eliminating this injection vector.
16. The project’s maintainers considered this scenario “unlikely to occur outside of a contrived scenario,” which explains its low severity classification.
17. The fix was implemented in version 5.9.2 by improving the SQL parsing logic。
18. The fix ensures that placeholders inside literals are correctly ignored and not replaced.
19. The vulnerability was officially published to the GitHub Advisory Database on April 22, 2026。
20. Developers using the simple protocol with dynamic dollar-quoted strings are the primary audience for this security advisory.
dailycve form: Platform: Go / pgx Version: <5.9.2 Vulnerability : SQL injection Severity: Low date: 2026-04-22 Prediction: Patch avail. 2026-04-18
What Undercode Say:
Analytics for this vulnerability show that while the severity is low, it highlights a critical parser weakness.
Check current pgx version in your go.mod grep "github.com/jackc/pgx/v5" go.mod Update to the patched version go get github.com/jackc/pgx/[email protected] Search for usage of the simple protocol in your codebase grep -r "QueryExecModeSimpleProtocol" --include=".go" .
The root cause is a flaw in how the SQL parser handles nested quoting structures. A safe workaround is to avoid the simple protocol and rely on the safe extended protocol which uses prepared statements.
Exploit:
A successful exploit requires constructing a query where an attacker-controlled value, inserted into a placeholder, also contains a valid dollar-quote tag that breaks the statement’s context.
attackValue := `$tag$; DROP TABLE canary; --` _, err = tx.Exec(ctx, <code>SELECT $tag$ $1 $tag$, $1</code>, pgx.QueryExecModeSimpleProtocol, attackValue)
Protection from this CVE
The primary protection is to upgrade to pgx version 5.9.2 or higher. If upgrading is not immediately possible, the workaround is to refuse to use the simple protocol for any query containing a dollar-quoted string literal. For long-term security, configure your application to use the extended query protocol as the default connection setting, which inherently prevents this class of injection.
Impact:
This vulnerability allows a malicious attacker to execute arbitrary SQL commands on the database. The impact is data theft, data manipulation, or complete database compromise. Although labeled “Low Severity” by the project maintainers, the successful exploitation of this advisory directly violates the fundamental security promises of a database driver.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

