PT-2026-57152 · Postgrex · Postgrex

José Valim

+1

·

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-58225

CVSS v4.0

2.1

Low

VectorAV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions postgrex versions 0.16.0 through 0.22.2
Description An issue in the Postgrex.Notifications module allows an attacker to inject SQL into the reconnect replay query by influencing a LISTEN channel name. While the quote channel/1 function sanitizes double quotes, it fails to escape the $$ dollar-quote delimiter used in the anonymous code block within the handle connect/1 function. Because the listen/3 function only rejects null bytes and names exceeding 63 bytes, a channel name containing $$ can prematurely terminate the dollar-quoted string. This causes PostgreSQL to parse the remaining input as top-level statements, leading to the rejection of the replay query during every reconnection attempt. Consequently, the notification connection fails to re-establish subscriptions, resulting in a denial of service where notifications are silently dropped for all channels sharing that connection. This occurs when untrusted input is passed as a channel name to Postgrex.Notifications.listen/3.
Recommendations Update postgrex to version 0.22.3 or later. Validate channel names before passing them to Postgrex.Notifications.listen/3 by rejecting any name containing the $$ delimiter or restricting names to alphanumeric characters and underscores.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58225
GHSA-4MW9-4QGJ-M97W

Affected Products

Postgrex