DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-JQCQ-XJH3-6G23: GHSA-JQCQ-XJH3-6G23: Denial of Service via Unbounded Allocation in pgproto3

#security #cve #cybersecurity #ghsa

GHSA-JQCQ-XJH3-6G23: Denial of Service via Unbounded Allocation in pgproto3

Vulnerability ID: GHSA-JQCQ-XJH3-6G23
CVSS Score: 5.3
Published: 2026-03-18

A denial of service vulnerability exists in the github.com/jackc/pgproto3/v2 Go package due to the absence of bounds checking during PostgreSQL wire protocol message encoding. This flaw allows a misconfigured peer or malicious actor to cause excessive memory allocation, leading to application crashes via out-of-memory (OOM) errors.

TL;DR

The pgproto3 Go package fails to validate the size and element count of PostgreSQL wire protocol messages during encoding, allowing an attacker to trigger massive memory allocations and cause a denial of service (DoS) via OOM.

Technical Details

  • Vulnerability Type: Denial of Service (DoS)
  • CWE ID: CWE-400
  • Attack Vector: Network
  • CVSS v3.1 Score: 5.3
  • Impact: Loss of Availability (OOM Panic)
  • Exploit Status: No public weaponized exploits
  • Patched Version: v2.3.3

Affected Systems

  • github.com/jackc/pgproto3/v2 (Go module)
  • github.com/jackc/pgproto3/v2: < 2.3.3 (Fixed in: 2.3.3)

Mitigation Strategies

  • Upgrade github.com/jackc/pgproto3/v2 to version v2.3.3 or higher.
  • Update application code to handle the new error return values from the modified Encode functions.
  • Implement application-level input validation to reject payloads that would result in excessive parameter or field counts.
  • Enforce network-level payload size restrictions at load balancers or API gateways to prevent the ingestion of anomalously large data structures.

Remediation Steps:

  1. Navigate to the root directory of the Go project.
  2. Execute go get github.com/jackc/pgproto3/v2@v2.3.3 to fetch the patched version.
  3. Execute go mod tidy to update the module dependencies.
  4. Identify all code locations invoking Encode(dst []byte) and refactor them to handle the new signature Encode(dst []byte) ([]byte, error).
  5. Compile the application and deploy the updated binary to production environments.

References

Read the full report for GHSA-JQCQ-XJH3-6G23 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)