Zero-day SQL Injection Vulnerability In PostgreSQL

Nam Anh Mai D.Nam Anh Mai D.
2 min read

In a recent report by Rapid7, it was revealed that hackers are actively exploiting a serious Zero-day vulnerability in PostgreSQL. This allows hackers to perform SQL Injection attacks and could lead to remote code execution attacks.

Vulnerability Information

  • Vulnerability ID: CVE-2025-1094

  • CVSS Score (3.1): 8.1

  • Severity Level: High

  • Affected Versions: All PostgreSQL versions before 17.3, 16.7, 15.11, 14.16, 13.19 are affected.

CVE-2025-1094 was discovered during the research of the vulnerability CVE-2024-12356 - which allows an unauthenticated attacker to execute remote code on BeyondTrust products. Researchers found that successfully exploiting CVE-2025-1094 is a stepping stone to exploiting CVE-2024-12356. Although BeyondTrust released a patch for CVE-2024-12356 in December 2024, the vulnerability in PostgreSQL remained unaddressed until researchers at Rapid7 discovered it.

Originating from PostgreSQL's improper handling of quoting syntax in libpq library functions, including:

  • PQescapeLiteral()

  • PQescapeIdentifier()

  • PQescapeString()

  • PQescapeStringConn()

Although these functions are designed to escape special characters and prevent SQL Injection risks in psql (PostgreSQL's interactive terminal), if developers misuse these functions when building SQL queries in psql, it can still lead to code injection, especially when combined with psql's handling of invalid UTF-8 strings.

Similarly, if quoting syntax is not handled correctly in PostgreSQL's command-line utility programs, SQL Injection can still be exploited when the client_encoding parameter is set to BIG5 and the server_encoding parameter is set to EUC_TW or MULE_INTERNAL.

Research also shows that hackers can take control of the entire system if they successfully exploit CVE-2025-1094. By exploiting the ability to run meta-commands of the interactive tool, which allows extending the tool's functionality and providing additional operations like executing commands with the exclamation mark ! in psql, hackers can execute shell commands with operating system privileges, leading to arbitrary code execution and system control.

PostgreSQL users need to update to version 17.3, 16.7, 15.11, 14.16, 13.19, or newer versions to receive the patch for this vulnerability.

References

  1. CVE-2025-1094: https://nvd.nist.gov/vuln/detail/CVE-2025-1094

  2. CVE-2024-12356: https://nvd.nist.gov/vuln/detail/CVE-2024-12356

  3. PostgreSQL: https://www.postgresql.org/support/security/CVE-2025-1094

  4. Rapid7 report: https://www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/

0
Subscribe to my newsletter

Read articles from Nam Anh Mai D. directly inside your inbox. Subscribe to the newsletter, and don't miss out.

threat intelligencerepostPostgreSQLSQL Injection

Written by

Nam Anh Mai D.
Nam Anh Mai D.