John Gemignani

**Name of the Vulnerable Software and Affected Versions** AGE for PostgreSQL 11 versions up-to-and-including 1.1.0 AGE for PostgreSQL 12 versions up-to-and-including 1.1.0 **Description** There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. The problem is due to the nature of the `cypher()` function, which cannot be parameterized directly. This enabled SQL injections if the developer of the driver wasn't careful. The fix is to update to the latest Golang and Python drivers in addition to the latest version of AGE that is used for PostgreSQL 11 or PostgreSQL 12. The update of AGE will add a new function to enable parameterization of the `cypher()` function, which, in conjunction with the driver updates, will resolve this issue. **Recommendations** Update to the latest Golang and Python drivers in addition to the latest version of AGE that is used for PostgreSQL 11 or PostgreSQL 12 to resolve the issue. As a temporary workaround, consider restricting the use of the `cypher()` function until a patch is available. Update AGE to the latest version to add a new function that enables parameterization of the `cypher()` function.