Nicholas Husin (Gerrit)

unread,

Jan 16, 2026, 12:17:35 AM (2 days ago) Jan 16

to Neal Patel, Ethan Lee, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Ethan Lee and Neal Patel

Nicholas Husin has uploaded the change for review

Nicholas Husin would like Neal Patel and Ethan Lee to review this change.

Commit message

data/reports: regenerate GO-2025-3764 with updated GHSA

For golang/vulndb#3908

Change-Id: I676858c57549767894042c23371ac58b1bd25c05

Change diff

diff --git a/data/osv/GO-2025-3764.json b/data/osv/GO-2025-3764.json
index 4e789e2..de220c5 100644
--- a/data/osv/GO-2025-3764.json
+++ b/data/osv/GO-2025-3764.json
@@ -25,21 +25,7 @@
           ]
         }
       ],
-      "ecosystem_specific": {
-        "custom_ranges": [
-          {
-            "type": "ECOSYSTEM",
-            "events": [
-              {
-                "introduced": "0"
-              },
-              {
-                "fixed": "19.15.0"
-              }
-            ]
-          }
-        ]
-      }
+      "ecosystem_specific": {}
     },
     {
       "package": {
@@ -69,11 +55,25 @@
           "events": [
             {
               "introduced": "0"
+            },
+            {
+              "fixed": "10.15.0"
             }
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/go-pg/pg/v10/types",
+            "symbols": [
+              "Append",
+              "appendFloat",
+              "appendIntValue"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
@@ -82,11 +82,19 @@
       "url": "https://github.com/advisories/GHSA-6xp3-p59p-q4fj"
     },
     {
+      "type": "FIX",
+      "url": "https://github.com/go-pg/pg/commit/eff50a43724e52347559687a6945c116afbb41c1"
+    },
+    {
       "type": "WEB",
       "url": "https://github.com/go-pg/pg/blob/30e7053c6cacdd44d06cf2b92183b49188b7c922/types/append_value.go#L151"
     },
     {
       "type": "WEB",
+      "url": "https://github.com/go-pg/pg/releases/tag/v10.15.0"
+    },
+    {
+      "type": "WEB",
       "url": "https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn%27t%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf"
     },
     {
diff --git a/data/reports/GO-2025-3764.yaml b/data/reports/GO-2025-3764.yaml
index 044fc87..8b124a8 100644
--- a/data/reports/GO-2025-3764.yaml
+++ b/data/reports/GO-2025-3764.yaml
@@ -1,13 +1,19 @@
 id: GO-2025-3764
 modules:
     - module: github.com/go-pg/pg
-      non_go_versions:
-        - fixed: 19.15.0
       vulnerable_at: 8.0.7+incompatible
     - module: github.com/go-pg/pg/v9
       vulnerable_at: 9.2.1
     - module: github.com/go-pg/pg/v10
-      vulnerable_at: 10.13.0
+      versions:
+        - fixed: 10.15.0
+      vulnerable_at: 10.14.0
+      packages:
+        - package: github.com/go-pg/pg/v10/types
+          symbols:
+            - Append
+            - appendFloat
+            - appendIntValue
 summary: |-
     SQL injection vulnerability via the component /types/append_value.go in
     github.com/go-pg/pg
@@ -17,12 +23,18 @@
     - GHSA-6xp3-p59p-q4fj
 references:
     - advisory: https://github.com/advisories/GHSA-6xp3-p59p-q4fj
+    - fix: https://github.com/go-pg/pg/commit/eff50a43724e52347559687a6945c116afbb41c1
     - web: https://github.com/go-pg/pg/blob/30e7053c6cacdd44d06cf2b92183b49188b7c922/types/append_value.go#L151
+    - web: https://github.com/go-pg/pg/releases/tag/v10.15.0
     - web: https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn%27t%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
     - web: https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw
 notes:
-    - No known fix commit for any specified version.
+    - create: failed to auto-populate symbols
+    - lint: 'modules[0] "github.com/go-pg/pg": unsupported_versions: found 1 (want none)'
+    - lint: 'modules[0] "github.com/go-pg/pg": versions: no latest fixed version (required for NEEDS_REVIEW report)'
+    - lint: 'modules[1] "github.com/go-pg/pg/v9": unsupported_versions: found 1 (want none)'
+    - lint: 'modules[1] "github.com/go-pg/pg/v9": versions: no latest fixed version (required for NEEDS_REVIEW report)'
 source:
     id: GHSA-6xp3-p59p-q4fj
-    created: 2025-07-16T11:06:41.876419-04:00
+    created: 2026-01-16T00:10:17.543217983-05:00
 review_status: REVIEWED

Change information

Files:

M data/osv/GO-2025-3764.json
M data/reports/GO-2025-3764.yaml

Change size: M

Delta: 2 files changed, 41 insertions(+), 21 deletions(-)

Open in Gerrit

Related details

Attention is currently required from:

Ethan Lee
Neal Patel

Submit Requirements:

Code-Review
LUCI-Pass
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Nicholas Husin (Gerrit)

unread,

Jan 16, 2026, 12:18:46 AM (2 days ago) Jan 16

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Ethan Lee, Neal Patel and Nicholas Husin

Nicholas Husin uploaded new patchset

Nicholas Husin uploaded patch set #2 to this change.

Open in Gerrit

Related details

Attention is currently required from:

Ethan Lee
Neal Patel
Nicholas Husin

Submit Requirements:

Code-Review
LUCI-Pass
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Nicholas Husin (Gerrit)

unread,

Jan 16, 2026, 12:19:07 AM (2 days ago) Jan 16

to Nicholas Husin, goph...@pubsubhelper.golang.org, Go LUCI, Neal Patel, Ethan Lee, golang-co...@googlegroups.com

Attention needed from Ethan Lee, Neal Patel and Nicholas Husin

Nicholas Husin voted

Auto-Submit	+1
Code-Review	+1

Open in Gerrit

Related details

Attention is currently required from:

Ethan Lee
Neal Patel
Nicholas Husin

Submit Requirements:

Code-Review
LUCI-Pass
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Nicholas Husin (Gerrit)

unread,

Jan 17, 2026, 10:05:06 PM (9 hours ago) Jan 17

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Ethan Lee, Neal Patel and Nicholas Husin

Nicholas Husin uploaded new patchset

Nicholas Husin uploaded patch set #3 to this change.

Open in Gerrit

Related details

Attention is currently required from:

Ethan Lee
Neal Patel
Nicholas Husin

Submit Requirements:

Code-Review

No-Unresolved-Comments
Review-Enforcement

TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Reply all

Reply to author

Forward

[vulndb] data/reports: regenerate GO-2025-3764 with updated GHSA

Nicholas Husin (Gerrit)

Nicholas Husin has uploaded the change for review

Commit message

Change diff

Change information

Related details

Nicholas Husin (Gerrit)

Nicholas Husin uploaded new patchset

Related details

Nicholas Husin (Gerrit)

Nicholas Husin voted

Related details

Nicholas Husin (Gerrit)

Nicholas Husin uploaded new patchset

Related details