Описание
CVE-2025-1386- Query smuggling in ch-go library
Impact
When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.
Patches
If you are using ch-go library, we recommend you to update to at least version 0.65.0.
Credit
This issue was found by lixts and reported through our bugcrowd program.
Пакеты
Наименование
github.com/ClickHouse/ch-go
go
Затронутые версииВерсия исправления
< 0.65.0
0.65.0
Связанные уязвимости
CVSS3: 4.9
nvd
10 месяцев назад
When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.