Reported

June 12, 2026

Issued

June 12, 2026

Package

postgres-protocol (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Keywords

#scram #pbkdf2

References

• https://github.com/rust-postgres/rust-postgres/commit/d40097a36a85068ea50a3afbf0ce154ba439e7f0
• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq

CVSS Score

8.7 HIGH

CVSS Details

Attack Complexity

Low

Attack Requirements

None

Attack Vector

Network

Privileges Required

None

Availability Impact to the Subsequent System

None

Confidentiality Impact to the Subsequent System

None

Integrity Impact to the Subsequent System

None

User Interaction

None

Availability Impact to the Vulnerable System

High

Confidentiality Impact to the Vulnerable System

None

Integrity Impact to the Vulnerable System

None

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Patched

• >=0.6.12

Unaffected

• <0.3.0

Affected Functions

Version

postgres_protocol::authentication::sasl::ScramSha256::update

• <0.6.12

Description

A malicious, compromised, or man-in-the-middle server can supply an arbitrarily large SCRAM-SHA-256 PBKDF2 iteration count during authentication. The client runs it inline with no upper bound, pinning a tokio worker thread for minutes per connection, possibly stalling the whole async runtime.

Applications that connect only to a trusted database are not exposed; the risk applies to clients that may connect to untrusted or user-supplied servers, or whose connection can be intercepted by a man-in-the-middle.

Advisory available under CC0-1.0 license.