CVE-2025-1386: CVE-2025-1386- Query smuggling in ch-go library

April 12, 2025 (updated April 23, 2025)

When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.

References

github.com/ClickHouse/ch-go
github.com/ClickHouse/ch-go/commit/0e835663df32b09b828528c07a5507686e6d975e
github.com/ClickHouse/ch-go/security/advisories/GHSA-m454-3xv7-qj85
github.com/advisories/GHSA-m454-3xv7-qj85
nvd.nist.gov/vuln/detail/CVE-2025-1386
pkg.go.dev/vuln/GO-2025-3603

Code Behaviors & Features

Detect and mitigate CVE-2025-1386 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →