[willvarfar]

I wonder what the worst possible bug might be?

A bug in query parameter parsing that would allow SQL injection attacks?

[onedognight]

As conjectured above, the worst case is pre authentication remote code execution. i.e. anyone can just connect, send magic packets, and get a shell.

[ef4]

While that would be bad, if it required a magic packet it would have limited impact -- lots of postgres databases don't talk to public networks.

Worse would be a vulnerability that you could trigger just by manipulating query parameters. Then almost every postgres-backed website would be vulnerable.