Intel

AIKIDO-2026-335501

postgrex is vulnerable to SQL Injection

SQL InjectionCVE-2026-58225 Published Yesterday

21

Low Risk

This Affects:

elixirpostgrex
0.16.0 - 0.22.2
Fixed in 0.22.3
Are you affected? Scan for Free

TL;DR

Postgrex.Notifications escapes double quotes in LISTEN channel names via quote_channel/1, but does not escape PostgreSQL's $$ dollar-quote delimiter. On every reconnect, handle_connect/1 replays all registered channels inside a DO $$BEGIN ... END$$ block. A channel name containing $$ (for example x$$;SELECT 1;--) prematurely closes the dollar-quoted block, PostgreSQL rejects the malformed query on each reconnect, and notifications silently stop for every channel sharing that connection. Double-quote escaping prevents arbitrary SQL execution, so the impact is denial of service rather than data breach. Version 0.22.3 escapes $$ in channel names before embedding them in the reconnect replay query.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and pass untrusted input (such as a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3.

Background info

postgrex is vulnerable to SQL Injection in versions 0.16.0 - 0.22.2.

How to fix this

Upgrade the postgrex library to the patch version.