SQL Injection Vulnerability in PostgreSQL libpq Functions and Command Line Utilities
CVE-2025-1094
Key Information:
- Vendor
- PostgreSQL
- Status
- Vendor
- CVE Published:
- 13 February 2025
Badges
What is CVE-2025-1094?
CVE-2025-1094 is a significant SQL Injection vulnerability found in the PostgreSQL libpq functions and command line utilities. PostgreSQL is a widely used open-source relational database management system (RDBMS) designed for reliability and robustness. The vulnerability stems from improper neutralization of quoting syntax in specific functions, which can allow an attacker to manipulate SQL queries by injecting malicious input. If exploited, this could lead to unauthorized data access or command execution, thereby adversely affecting the confidentiality, integrity, and availability of database systems in an organization.
Technical Details
The vulnerability is identified in the PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn(). These functions are intended to safely escape user input to prevent SQL injection. The flaw allows a database input provider to achieve SQL injection through improper quoting syntax under certain conditions, particularly when the application relies on the output of these functions to construct input for the PostgreSQL interactive terminal (psql). Additionally, vulnerabilities are present in specific command-line utility programs when particular encoding configurations are used (client_encoding set to BIG5 and server_encoding set to EUC_TW or MULE_INTERNAL). The impacted versions include those prior to PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19.
Potential Impact of CVE-2025-1094
-
Unauthorized Data Access: Attackers may exploit this vulnerability to gain unauthorized access to sensitive data stored in a PostgreSQL database, leading to potential data leakage and breaches that can severely impact an organization's reputation.
-
Command Execution Risks: Successful exploitation could allow attackers to execute arbitrary commands through the command line utilities, potentially leading to a compromise of the underlying server and other connected systems.
-
Denial of Service: Exploiting this SQL injection vulnerability may enable attackers to disrupt database operations, causing a denial of service to legitimate users and affecting critical business functions.
Affected Version(s)
PostgreSQL 17 < 17.3
PostgreSQL 16 < 16.7
PostgreSQL 15 < 15.11
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting ๐
Well keep you posted ๐ง
News Articles
TecheratiSerious PostgreSQL flaw exploited in US Treasury zero-day attack - Techerati
Researchers believe a zero-day weakness in PostgreSQL played a major role in hacks that were able to successfully breach the US Treasury.
DMNewsCVE-2025-1094PostgreSQL vulnerability exploited in US Treasury attack
Discover how a critical PostgreSQL vulnerability led to a significant cyberattack on the US Treasury, exposing sensitive financial data.
oodaloop.comCVE-2025-1094A PostgreSQL zero-day was also exploited in US Treasury hack (CVE-2025-1094)ย
Rapid7 researchers have discovered that the Chinese state-sponsored hackers suspected of being behind the U.S. Treasury attack in December leveraged a
References
EPSS Score
84% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- ๐
Vulnerability started trending
- ๐พ
Exploit known to exist
- ๐ก
Public PoC available
- ๐ฐ
First article discovered by SecurityWeek
Vulnerability published
Vulnerability Reserved