A critical SQL injection flaw in PostgreSQL's libpq allows attackers to achieve remote code execution. CVSS 8.1 — all versions before 17.3, 16.7, 15.11, 14.16, 13.19 are affected. Patch immediately.
A critical vulnerability tracked as CVE-2025-1094 has been discovered in PostgreSQL's libpq library, affecting the way SQL queries handle string escaping. The flaw allows an attacker to inject arbitrary SQL commands and, under certain configurations, achieve remote code execution (RCE) on the database server.
Type: SQL Injection via improper quoting in libpq functions
Impact: Remote Code Execution, Data Exfiltration, Privilege Escalation
Affected: PostgreSQL < 17.3, < 16.7, < 15.11, < 14.16, < 13.19
The vulnerability exists in PostgreSQL's libpq functions — specifically PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn(). These functions are responsible for escaping user-supplied input before it's embedded into SQL queries.
The flaw arises from incorrect handling of invalid UTF-8 byte sequences. When a specially crafted string containing malformed UTF-8 is passed to these escaping functions, the quoting logic can be bypassed, allowing an attacker to break out of the string context and inject arbitrary SQL.
COPY TO/FROM PROGRAM or custom function creation, the attacker can execute OS commandsRapid7 researchers demonstrated that this vulnerability can be chained with BeyondTrust Remote Support CVE-2024-12356 for unauthenticated RCE.
| Factor | Rating | Details |
|---|---|---|
| CVSS Score | 8.1 (High) | Network-accessible, no authentication required in some configs |
| Exploitability | High | PoC available, active exploitation confirmed |
| Affected Installations | Massive | PostgreSQL powers ~35% of enterprise databases globally |
| Data Risk | Critical | Full database read/write, potential OS-level access |
PQescapeLiteral, PQescapeIdentifier, and related functionsPQexecParams() over string concatenation with escapingCOPY PROGRAM usage in query logsAI-powered vulnerability management with 331,910+ CVEs indexed.
Start Free TrialStay secure. Stay vigilant.
🗡️ KENSAI Security Team