Aikido Intel
Secure My Code
Intel

AIKIDO-2025-10850

github.com/uptrace/bun/driver/pgdriver is vulnerable to SQL Injection

SQL Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Nov 27, 2025

30

Low Risk

This Affects:

GOgithub.com/uptrace/bun/driver/pgdriver
0.1.0 - 1.2.15
Fixed in 1.2.16
Are you affected? Scan for Free

TL;DR

Affected versions of this package could be vulnerable to SQL injection when PostgreSQL’s standard_conforming_strings is explicitly set to off, a legacy configuration that modern deployments rarely use. Because this setting has defaulted to on for over a decade, the practical impact is minimal. The fix enforces standard_conforming_strings=on and client_encoding=UTF8 to ensure safe string-literal handling, though testing these conditions is difficult without legacy or deliberately misconfigured PostgreSQL instances.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you explicitly set standard_conforming_strings=off.

Background info

github.com/uptrace/bun/driver/pgdriver is vulnerable to SQL Injection in versions 0.1.0 - 1.2.15.

How to fix this

Upgrade the github.com/uptrace/bun/driver/pgdriver library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done