PT-2026-57152 · Postgrex · Postgrex
José Valim
+1
·
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-58225
CVSS v4.0
2.1
Low
| Vector | AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
postgrex versions 0.16.0 through 0.22.2
Description
An issue in the
Postgrex.Notifications module allows an attacker to inject SQL into the reconnect replay query by influencing a LISTEN channel name. While the quote channel/1 function sanitizes double quotes, it fails to escape the $$ dollar-quote delimiter used in the anonymous code block within the handle connect/1 function. Because the listen/3 function only rejects null bytes and names exceeding 63 bytes, a channel name containing $$ can prematurely terminate the dollar-quoted string. This causes PostgreSQL to parse the remaining input as top-level statements, leading to the rejection of the replay query during every reconnection attempt. Consequently, the notification connection fails to re-establish subscriptions, resulting in a denial of service where notifications are silently dropped for all channels sharing that connection. This occurs when untrusted input is passed as a channel name to Postgrex.Notifications.listen/3.Recommendations
Update postgrex to version 0.22.3 or later.
Validate channel names before passing them to
Postgrex.Notifications.listen/3 by rejecting any name containing the $$ delimiter or restricting names to alphanumeric characters and underscores.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Postgrex