Name of the Vulnerable Software and Affected Versions sqlx versions prior to 0.8.1

Description The issue concerns a potential SQL injection vulnerability due to an overflow in the protocol level when encoding values larger than 4GiB. This can cause the server to interpret the rest of the string as binary protocol commands or other data. The vulnerability appears to affect all published versions of sqlx prior to 0.8.1, as the problematic code has existed since the beginning. Users should validate untrustworthy user input and reject any input over 4 GiB or any input that could encode to a string longer than 4 GiB. Dynamically built queries are also potentially problematic if they push the message size over this 4 GiB bound.

Recommendations For versions prior to 0.8.1, upgrade to sqlx 0.8.1 as soon as possible, especially for Postgres users, as a possible exploit has been demonstrated. Consider adding middleware that limits the size of request bodies by default for web application backends. As a temporary workaround, consider validating and limiting user input to prevent exploitation until the upgrade is applied. Restrict the use of dynamically built queries that could exceed the 4 GiB bound. Use Encode::size hint() for sanity checks, but do not assume the size returned is accurate.