CVE-2024-32655: SQL Injection Flaw Discovered in Popular PostgreSQL Driver, Npgsql
A high-severity security vulnerability (CVE-2024-32655) has been discovered in Npgsql, a widely used open-source data provider for connecting .NET applications to PostgreSQL databases. The flaw, rated with a CVSS score of 8.1, could allow attackers to inject malicious SQL commands into affected applications, potentially leading to data breaches, unauthorized access, and other serious consequences.
Npgsql is a key component in the .NET ecosystem, allowing developers to write applications in languages like C#, Visual Basic, and F# that interact with PostgreSQL databases. As an entirely open-source project implemented in C#, Npgsql is essential for numerous business and critical applications worldwide.
The issue resides in the WriteBind()
method within the file src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs
. The vulnerability stems from the method’s handling of integer variables, which are used to store the lengths of messages and their parameters. A critical overflow occurs when the sum of parameter lengths exceeds the storage capacity of an integer. This overflow results in the application generating incorrect message sizes when crafting PostgreSQL protocol messages to be sent over the network.
The consequence is that the receiving PostgreSQL database server misinterprets these incorrectly sized messages. It reads only a portion of the data, treating the remainder as a separate message. This error can be exploited by attackers to inject arbitrary PostgreSQL protocol messages into the connection stream, ultimately leading to the execution of unauthorized SQL statements.
The CVE-2024-32655 flaw affects a wide range of Npgsql versions, including all releases from 4.0.0 up to 8.0.2. Security researcher Paul Gerste is credited with discovering and responsibly disclosing the vulnerability.
The potential impact of this flaw is significant, as it could allow attackers to compromise sensitive data, disrupt application functionality, or even gain complete control over the underlying database.
Fortunately, patches have been released for all affected Npgsql versions. Developers and system administrators are strongly advised to upgrade to the latest patched versions immediately:
Organizations using Npgsql should prioritize this update and conduct thorough security audits to ensure that their systems have not been compromised.