Vulnerability in tyk project

[ankitdn]

While working on tyk project, I reviewed the dependency manifest and found that it uses a vulnerable version of github.com/jackc/pgx/v5. During analysis, I discovered that when using the non-default simple protocol, queries containing dollar-quoted string literals may be misinterpreted as containing placeholders.

CVE Report
CVE Link

[probelabs]

Thank you for your contribution!

Hi @ankitdn, thank you for reporting this potential security vulnerability. We appreciate you taking the time to review our dependencies and bring this to our attention.

Based on your report, you've identified a vulnerability in github.com/jackc/pgx/v5 related to potential SQL injection when using the non-default simple protocol.

Initial Triage

We have reviewed our go.mod file and can confirm that github.com/jackc/pgx/v5 is not a direct dependency of the Tyk Gateway project. It's possible this dependency is being pulled in transitively by another library.

To help us investigate further, could you please provide the output of go mod why github.com/jackc/pgx/v5 from within the Tyk Gateway repository? This will help us identify which direct dependency is introducing the vulnerable package so we can address it with the upstream maintainer or update the library as needed.

Next Steps

Once we have the dependency path, we will assess the usage to determine if the vulnerable code path is active in Tyk Gateway. In parallel, we will explore updating the parent dependency to a version that resolves this CVE.

We will post further updates on this issue as our investigation progresses.

References:

• go.mod

---

Powered by Visor from Probelabs

💡 TIP: You can chat with Visor using /visor ask <your question>