Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Pre-authentication first-read path reached over the network with no user interaction (AV:N/AC:L/PR:N/UI:N); heap OOB write plausibly yields RCE, so C/I/A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in the MySQL and PostgreSQL protocol first-read paths. A remote unauthenticated client can declare an oversized first packet length, and ProxySQL passes that attacker-controlled length directly to recv() while writing into a fixed 32 KB input queue. Version 3.0.9 patches the issue.
Articles & Coverage 2
AnalysisAI
Pre-authentication heap memory corruption in ProxySQL 2.0.18 through 3.0.8 allows remote unauthenticated attackers to corrupt heap memory by sending a crafted first packet declaring an oversized length, which is passed directly to recv() into a fixed 32 KB input queue on both MySQL and PostgreSQL protocol listeners. The flaw carries a CVSS 9.8 rating and is fixed in 3.0.9; no public exploit identified at time of analysis, but the trivial trigger condition and out-of-bounds write primitive create strong potential for weaponization.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of ProxySQL 2.0.18 through 3.0.8, requiring only TCP reachability to a client-facing listener (MySQL protocol port, default 6033, or any configured PostgreSQL listener); the vulnerability is in the pre-authentication first-read path so no credentials, prior session, or user interaction are needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to a high-priority issue: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects remote, unauthenticated, low-complexity exploitation with full CIA impact, and the bug sits in the pre-authentication code path, so it is reachable on any exposed listener without credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a ProxySQL listener (for example, an exposed 6033/tcp port or a PostgreSQL frontend on an internal segment reached via SSRF or a compromised host) opens a TCP connection and sends a single crafted packet whose declared length field far exceeds 32 KB followed by attacker-chosen payload bytes. ProxySQL passes the oversized length to recv() and writes past the fixed input queue, corrupting adjacent heap structures; with careful heap grooming this is a plausible primitive for remote code execution as the ProxySQL process, otherwise reliably crashing the proxy and severing all backed database traffic. … |
| Remediation | Vendor-released patch: ProxySQL 3.0.9 - upgrade all affected instances to 3.0.9 or later as the primary remediation, per https://github.com/sysown/proxysql/releases/tag/v3.0.9 and the advisory at https://github.com/sysown/proxysql/security/advisories/GHSA-58ww-865x-grpr. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running affected ProxySQL versions (2.0.18-3.0.8) and document their role in production database infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database c
Hasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands th
SQL injection in Chartbrew before 4.8.3. PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38073