Warning: high severity SQL injection vulnerability in PostgreSQL, PATCH IMMEDIATELY!

Image
Decorative image
Gepubliceerd : 14/02/2025

Reference:
Advisory #2025-35

Version:
1.0

Affected software:
PostgreSQL < v17.3
PostgreSQL < v16.7
PostgreSQL < v15.11
PostgreSQL < v14.16
PostgreSQL < v13.19

Type:
Improper Neutralization of Quoting Syntax (CWE-149)

CVE/CVSS:
CVE-2025-1094
CVSS 8.3 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Risks

PostgreSQL fixed CVE-2025-1094, an SQL Injection vulnerability in all their actively supported versions. Successfully exploiting this vulnerability could allow an unauthenticated remote attacker to execute commands on the targeted PostgreSQL server’s operating system and could also allow an attacker to perform SQL statements on the databases hosted on this PostgreSQL Server. This could lead to the exposure of all data on the server and PostgreSQL databases.

Since the actors could also be able to execute commands on the operating system itself by exploiting CVE-2025-1094, they can use this ability to use the PostgreSQL server to gain access to the internal network or the deploy the server as a webshell.

CVE-2025-1094 has a high impact on the full CIA triad and is already being observed being exploited in the wild.

Recommended Actions

CVE-2025-1094: CVSS 8.3

CVE-2025-1094 is possible due to improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn(), which allows a database input provider to achieve SQL injection in certain usage patterns. SQL injection requires the application to use the function result to construct input to psql (the PostgreSQL interactive terminal).

Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL.

References

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

  • PostgreSQL v17: Upgrade to v17.3
  • PostgreSQL v16: Upgrade to v16.7
  • PostgreSQL v15: Upgrade to v15.11
  • PostgreSQL v14: Upgrade to v14.16
  • PostgreSQL v13: Upgrade to v13.19

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Communication