Base Score

MEDIUM4.9

CVE-2025-1386

When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.

VectorNETWORK

Published Bycb7ba516-3b07-4c98-b0c2-715220f1a8f6

Published DateApr 11, 2025, 05:15

Affected Versions(1)

github.com/ClickHouse/ch-go(Go)

Introduced0

Fixed0.65.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/ClickHouse/ch-go(Go)	0	0.65.0	N/A

Weakness Type (CWE):CWE-444

CVSS Metrics

Base Score

5.9

Vector String

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

References

https://github.com/ClickHouse/ch-go/security/advisories/GHSA-m454-3xv7-qj85

Base Score

MEDIUM4.9

Weakness Type (CWE):CWE-444

CVSS Metrics

Base Score

5.9

Vector String

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)