SQL Injection Vulnerability in PostgreSQL interactive tool psql – CVE-2025-1094

ISGroup Cybersecurity

CVE-2025-1094 is a critical SQL injection vulnerability discovered by Rapid7, affecting all supported versions of PostgreSQL prior to versions 17.3, 16.7, 15.11, 14.16, and 13.19. The vulnerability was identified during the analysis of an attack that exploited CVE-2024-12356, an unauthenticated remote code execution (RCE) flaw in BeyondTrust products. In all tested cases, successful exploitation of CVE-2024-12356 first required the exploitation of CVE-2025-1094 to achieve code execution.

With a CVSS score of 8.1 (High), this vulnerability stems from flaws in PostgreSQL’s psql tool, which allow an attacker to inject SQL commands via specially crafted input. This issue remained a zero-day until its disclosure by Rapid7.

Date2025-02-20 16:22:45
Information
  • Trending
  • Fix Available

Technical Summary

CVE-2025-1094 is caused by an incorrect assumption regarding the security of input passed through PostgreSQL’s string escaping routines. These routines are designed to handle untrusted input within SQL queries, but an attacker can bypass these protections in specific scenarios where invalid UTF-8 characters are processed incorrectly by the psql tool.

The vulnerability occurs when the psql tool executes a SQL statement containing escaped untrusted input that includes invalid byte sequences, leading to a successful SQL injection. If an attacker succeeds in injecting SQL commands, they can escalate the attack by executing meta-commands via psql, which allow for the execution of shell commands on the underlying operating system.

Alternatively, attackers can execute arbitrary, attacker-controlled SQL commands directly in the PostgreSQL database, with the potential to further compromise the system, including data exfiltration, data manipulation, or system compromise.

Exploitation Scenarios:

  1. SQL Injection
    Attackers can inject arbitrary SQL code through psql, bypassing escaping protections. This can allow unauthorized access to sensitive data or the manipulation of database operations.

  2. Arbitrary Code Execution via Meta-commands
    Exploitation of the SQL injection allows attackers to use psql meta-commands, which execute OS shell commands. This can lead to full control of the affected system, including the ability to execute arbitrary commands with operating system privileges.

Recommendations

  1. Update PostgreSQL

Users should immediately update to PostgreSQL 17.3, 16.7, 15.11, 14.16, or 13.19, which resolve the SQL injection vulnerability and ensure system protection from exploitation.

  1. Verify and Monitor SQL Queries
  • Implement additional security measures such as input validation and parameterized queries to prevent further SQL injection vulnerabilities.
  • Review the use of meta-commands within the PostgreSQL interactive tool (psql) to limit the possibility of untrusted users executing arbitrary shell commands.
  1. Restrict Access to psql

Limit access to psql only to trusted administrators, and disable interactive shell command execution for regular users, if possible.

[Callforaction-THREAT-Footer]