postgrex is vulnerable to SQL Injection
21
Low Risk
Postgrex.Notifications escapes double quotes in LISTEN channel names via quote_channel/1, but does not escape PostgreSQL's $$ dollar-quote delimiter. On every reconnect, handle_connect/1 replays all registered channels inside a DO $$BEGIN ... END$$ block. A channel name containing $$ (for example x$$;SELECT 1;--) prematurely closes the dollar-quoted block, PostgreSQL rejects the malformed query on each reconnect, and notifications silently stop for every channel sharing that connection. Double-quote escaping prevents arbitrary SQL execution, so the impact is denial of service rather than data breach. Version 0.22.3 escapes $$ in channel names before embedding them in the reconnect replay query.
You are affected if you are using a version that falls within the vulnerable range and pass untrusted input (such as a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3.
postgrex is vulnerable to SQL Injection in versions 0.16.0 - 0.22.2.
Upgrade the postgrex library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant