CVE-2026-58225
Gravedad CVSS v4.0:
BAJA
Tipo:
CWE-89
Neutralización incorrecta de elementos especiales usados en un comando SQL (Inyección SQL)
Fecha de publicación:
10/07/2026
Última modificación:
10/07/2026
Descripción
*** Pendiente de traducción *** SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.<br />
<br />
Postgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block.<br />
<br />
The listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.<br />
<br />
An application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.<br />
<br />
This issue affects postgrex: from 0.16.0 before 0.22.3.
Impacto
Puntuación base 4.0
2.10
Gravedad 4.0
BAJA
Referencias a soluciones, herramientas e información
- https://cna.erlef.org/cves/CVE-2026-58225.html
- https://github.com/elixir-ecto/ecto/security/advisories/GHSA-4mw9-4qgj-m97w
- https://github.com/elixir-ecto/postgrex/commit/795c6062f62c4394272ff4b89170688857b4f841
- https://osv.dev/vulnerability/EEF-CVE-2026-58225
- https://github.com/elixir-ecto/ecto/security/advisories/GHSA-4mw9-4qgj-m97w



