The vulnerability lies in the DataRow.Decode function of the pgproto3 library. It fails to validate field lengths, allowing a malicious PostgreSQL server to send a DataRow message with a negative field length. The library does not check this value, causing a slice bounds error that triggers a panic and crashes the consuming application. This results in a denial of service for the affected process. The weakness corresponds to CWE‑1285 and CWE‑129, which indicate improper handling of array bounds or indices and improper validation of array length for buffer access.

Any application that incorporates the github.com/jackc/pgproto3/v2 library is at risk, including projects that depend on this library such as pgx. All releases prior to the official fix are potentially vulnerable, as the CVE entry does not supply specific version ranges.

The CVSS score of 7.5 indicates high impact, yet the EPSS score of less than 1% suggests that exploitation is presently unlikely and it is not listed in the CISA KEV catalog. The attack vector is remote via the PostgreSQL server side; an attacker who can control or compromise a PostgreSQL instance can send the malicious DataRow message. No special client‑side privileges are required, though the vulnerable client must accept the connection. Consequently, systems that accept connections from untrusted databases should treat this as sufficiently risky to justify prompt remediation.