Listen to this Post
How the mentioned CVE works (technical details):
The vulnerability exists in ydb-go-sdk’s table service client when using `options.WithCommit()` on the final `table.Transaction.Execute` call. Normally, the `WithCommit` flag should automatically commit the transaction after the last operation. However, due to a logic flaw in versions v3.104.6 through v3.134.1, the commit is silently ignored. The SDK fails to issue the underlying `CommitTx` request to the YDB database. The transaction remains pending and eventually times out or is rolled back. Applications incorrectly assume that data has been persisted because the API returns without an error. In rare race conditions (e.g., network delays or session expirations), this leads to incomplete writes and loss of data consistency. The bug was introduced in commit `251128a` and fixed in commit `25dcff4` by ensuring `WithCommit` triggers an explicit commit.
dailycve form:
Platform: YDB Go SDK
Version: 3.104.6-3.134.1
Vulnerability: Transaction commit bypass
Severity: Low
date: April 22 2026
Prediction: Apr 30 2026
What Undercode Say:
Check vulnerable version in go.mod
grep "ydb-go-sdk" go.mod
Verify installed version
go list -m github.com/ydb-platform/ydb-go-sdk
Vulnerable pattern (DO NOT USE)
err := tx.Execute(ctx, query, params, options.WithCommit())
// Commit is silently ignored
Fixed pattern (v3.134.2+)
err := tx.Execute(ctx, query, params, options.WithCommit())
Now correctly commits
Workaround: explicit commit
err := tx.Execute(ctx, query, params)
if err == nil {
err = tx.CommitTx(ctx)
}
Workaround: use DoTx
err := db.Table().DoTx(ctx, func(ctx context.Context, tx table.TransactionActor) error {
return tx.Execute(ctx, query, params, options.WithCommit())
})
Exploit:
No direct public exploit exists; the bug manifests silently. An attacker cannot force the issue but could benefit from a prior inconsistent state. To trigger, repeatedly execute transactions with `WithCommit` under high concurrency or session reconnects. Data written inside the transaction will be lost without any error indication.
Protection from this CVE:
- Upgrade to ydb-go-sdk v3.134.2 or later.
- Replace `options.WithCommit()` with explicit
tx.CommitTx(ctx). - Use `db.Table().DoTx()` or `db.Query().Do()` instead of manual session/transaction handling.
- Monitor YDB session logs for unexpected rollbacks.
Impact:
Loss of data consistency in rare cases – writes that appear successful are never committed. Affects any application relying on `options.WithCommit()` for atomic updates. No data corruption, only missing writes. Severity is Low because explicit `CommitTx` or `DoTx` patterns are common, and the bug requires specific usage.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
