Vulnerability in pgai Python Library Affecting Timescale
CVE-2025-52467

9.1CRITICAL

Key Information:

Vendor

Timescale

Status
Pgai
Vendor
CVE Published:
19 June 2025

What is CVE-2025-52467?

The pgai library, which facilitates PostgreSQL transformations for retrieval in RAG and Agentic applications, had a vulnerability that allowed attackers to extract sensitive secrets from workflows. This included the GITHUB_TOKEN with write permissions, granting full access to manipulate repository contents, push arbitrary code, and release changes. The issue was resolved in commit 8eb3567, reinforcing the need for users to update their installations to prevent potential exploitation.

Affected Version(s)

pgai < 8eb356729c33560ce54b88b9a956960ad1e3ede8

References

https://github.com/timescale/pgai/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/timescale/pgai/pull/742
x_refsource_MISC
https://github.com/timescale/pgai/commit/8eb356729c33560c...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.