DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-28XX-PPPM-VQFF: GHSA-28xx-pppm-vqff: Silent Data Loss via Uncommitted Transactions in ydb-go-sdk

#security #cve #cybersecurity #ghsa

GHSA-28xx-pppm-vqff: Silent Data Loss via Uncommitted Transactions in ydb-go-sdk

Vulnerability ID: GHSA-28XX-PPPM-VQFF
CVSS Score: 7.5
Published: 2026-04-30

The ydb-go-sdk for Yandex Database suffers from a critical logic vulnerability where transactions are not committed when using the options.WithCommit() option on the final table.Transaction.Execute call. This implementation flaw forces the SDK to discard the commit instruction before transmission. Consequently, the server processes the query but leaves the transaction open, while the SDK erroneously reports success to the calling application, leading to complete and silent data loss.

TL;DR

A logic bug in ydb-go-sdk overwrites the transaction control configuration, ignoring the WithCommit() flag. This causes transactions to remain uncommitted on the database server while the application assumes they succeeded, resulting in silent data loss.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-684: Incorrect Provision of Specified Functionality
  • Attack Vector: Local / Application Code Integration
  • Impact: Silent Data Loss, Atomicity Failure
  • Exploit Status: weaponized
  • Authentication Required: None

Affected Systems

  • ydb-go-sdk (github.com/ydb-platform/ydb-go-sdk)
  • ydb-go-sdk: < 3.134.2 (Fixed in: 3.134.2)

Code Analysis

Commit: 251128a

Refactoring of transaction control logic for Table and Query services.

Commit: 25dcff4

Direct fix resolving table.Session.Execute ignoring WithCommit option.

Exploit Details

  • GitHub Advisory Database: Advisory describing the logic implementation error natively triggered by application code usage.

Mitigation Strategies

  • Dependency Upgrade
  • Source Code Auditing
  • Implementation Workaround

Remediation Steps:

  1. Identify all microservices utilizing github.com/ydb-platform/ydb-go-sdk.
  2. Update the go.mod dependency to require github.com/ydb-platform/ydb-go-sdk/v3 v3.134.2 or higher.
  3. Execute standard integration tests to verify database transaction completion.
  4. If upgrade is blocked, manually refactor code to use explicit tx.CommitTx(ctx) calls instead of options.WithCommit().
  5. Perform data reconciliation checks on recently processed database transactions to identify potential inconsistencies.

References

Read the full report for GHSA-28XX-PPPM-VQFF on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)