Doltgres currently pins github.com/jackc/pgx/v5 to v5.6.1-0.20240826124046-97d20ccfadaa (see go.mod). This pseudo-version predates the fix for CVE-2026-33816, a memory-safety vulnerability in pgx's pgproto3 subpackage disclosed on 2026-04-07. The advisory is tracked as GO-2026-4772 / GHSA-9jj7-4m8r-rfcm, carries a CVSS 9.8 (critical) rating, and is categorized as CWE-20 (improper input validation). The affected symbols are pgproto3.Backend.Receive and pgproto3.FunctionCall.Decode, both of which sit on the server-side Postgres wire-protocol read path.
Doltgres is exposed to this because it implements a Postgres wire server using pgx's pgproto3 package directly. server/connection_data.go and server/node/no_op.go both import pgx/v5/pgproto3, and server/logrepl/replication.go uses the same package as part of logical replication handling. That means Backend.Receive is invoked on every incoming client connection, putting unauthenticated or minimally-authenticated traffic on the vulnerable path.
Doltgres currently pins github.com/jackc/pgx/v5 to v5.6.1-0.20240826124046-97d20ccfadaa (see go.mod). This pseudo-version predates the fix for CVE-2026-33816, a memory-safety vulnerability in pgx's pgproto3 subpackage disclosed on 2026-04-07. The advisory is tracked as GO-2026-4772 / GHSA-9jj7-4m8r-rfcm, carries a CVSS 9.8 (critical) rating, and is categorized as CWE-20 (improper input validation). The affected symbols are pgproto3.Backend.Receive and pgproto3.FunctionCall.Decode, both of which sit on the server-side Postgres wire-protocol read path.
Doltgres is exposed to this because it implements a Postgres wire server using pgx's pgproto3 package directly. server/connection_data.go and server/node/no_op.go both import pgx/v5/pgproto3, and server/logrepl/replication.go uses the same package as part of logical replication handling. That means Backend.Receive is invoked on every incoming client connection, putting unauthenticated or minimally-authenticated traffic on the vulnerable path.