Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: 2 high severity vulnerabilities patched in PostgreSQL, Patch Immediately!
Image
Published : 20/08/2025
- Last update: 20/08/2025
- Affected software:
→ PostgreSQL <17.6, <16.10, <15.14, <14.19, and <13.22- Type:
→ CVE-2025-8714: Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
→ CVE-2025-8715: Improper Neutralization of CRLF Sequences (CWE-93)- CVE/CVSS
→ CVE-2025-8714: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
→ CVE-2025-8715: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Sources
https://www.postgresql.org/support/security/CVE-2025-8714
https://www.postgresql.org/support/security/CVE-2025-8715
Risks
CVE-2025-8714 & CVE-2025-8715 are both vulnerabilities which impact pg_dump, the command-line utility for creating backups of a PostgreSQL database developed by PostgreSQL. Both vulnerabilities abuse the pg_dump utility to embed malicious commands into backup files. If these tampered dumps are later restored with psql, attackers can run arbitrary code on the target system with the same privileges as the user performing the restoration.
Attackers can create malicious operators that bypass view access controls and row-level security, allowing them to retrieve data that should remain restricted. These flaws pose heightened risk in DevOps environments, where automated backup restorations run frequently, since a compromised dump can execute with elevated system privileges.
Description
CVE-2025-8714:
PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client.
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. This is similar to MySQL CVE-2024-21096.
- pg_dumpall is also affected.
- pg_restore is affected when used to generate a plain-format dump.
CVE-2025-8715:
PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server.
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server.
- pg_dumpall is also affected.
- pg_restore is also affected.
- pg_upgrade is also affected.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Update to PostgreSQL 17.6, 16.10, 15.14, 14.19, or 13.22.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-8714
https://nvd.nist.gov/vuln/detail/CVE-2025-8715