The vulnerability lies in the Postgres notifications module of the Elixir Ecto Postgrex package, where channel names supplied to listen/3 and unlisten/3 are directly interpolated into LISTEN/UNLISTEN SQL statements without escaping the quotation mark. This oversight is a classic example of CWE-89, allowing an attacker who can choose a channel name to inject a double quote and additional SQL. Because the underlying PostgreSQL connection accepts the simple query protocol, the attacker can terminate the quoted identifier, inject arbitrary statements, and chain them with a semicolon, enabling DDL or DML commands to be executed. Successful exploitation would compromise database integrity, potentially exfiltrate or modify data, and could also serve as a vector for further system compromise.

Any deployment of Elixir Ecto Postgrex prior to version 0.22.2 is vulnerable. This includes the 0.16.0‑0.22.2 range mentioned in the advisory, regardless of GitHub commit tag. Systems using these versions that allow untrusted code or user input to dictate notification channel names are affected. The vulnerability exists in the lib/postgrex/notifications.ex source file and is triggered through the Elixir.Postgrex.Notifications module.

The advisory assigns a CVSS score of 7.5, indicating high severity, while an EPSS value is not provided and the issue is not listed in the CISA KEV database. The attack is feasible in environments where the application exposes channel names to external actors; the simple query protocol permits multiple statements, making the risk tangible. Exploitation requires no special hardware or advanced techniques beyond the ability to send constructed channel names, therefore a determined attacker with application access could immediately craft a payload such as channel="foo\"; DROP TABLE users;--" and trigger destructive actions on the database.