A critical vulnerability in PostgreSQL's libpq client library (CVE-2025-1094) allows attackers to achieve remote code execution through a novel SQL injection vector that bypasses parameterized query protections. With a CVSS score of 8.1, this flaw affects all PostgreSQL versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19. Active exploitation has been observed in the wild, particularly in combination with the BeyondTrust CVE-2024-12356 vulnerability.
⚡ Bottom line: Patch PostgreSQL immediately — this is being actively exploited in the wild.
The vulnerability resides in PostgreSQL's libpq library — the C client interface used by virtually every PostgreSQL application. The flaw stems from improper handling of invalid UTF-8 byte sequences in the string escaping functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn().
An attacker can craft malicious input containing specific invalid UTF-8 sequences that cause the escaping routines to produce incorrectly quoted output. This effectively breaks out of SQL string literals, enabling arbitrary SQL injection even when applications believe they are using safe parameterized queries.
Rapid7 researchers discovered CVE-2025-1094 while investigating the BeyondTrust Remote Support vulnerability (CVE-2024-12356). The PostgreSQL flaw was the critical missing piece — the BeyondTrust RCE exploit chain actually required CVE-2025-1094 to achieve code execution. This means organizations that patched BeyondTrust but not PostgreSQL may still be vulnerable.
The attack works by sending specially crafted UTF-8 byte sequences through any application that uses libpq for database connections. When the escaping functions process these invalid sequences, they produce syntactically valid but semantically corrupted SQL. In interactive terminal sessions (psql), this can escalate to operating system command execution via PostgreSQL's ! meta-command.
| CVE | Component | CVSS | Impact |
|---|---|---|---|
| CVE-2025-1094 | PostgreSQL libpq | 8.1 | SQL Injection → Remote Code Execution |
| CVE-2024-12356 | BeyondTrust Remote Support | 9.8 | Unauthenticated Command Injection |
Full read/write access to all database contents, including credentials and sensitive data
OS-level command execution as the PostgreSQL service account, typically with significant system privileges
Combined with BeyondTrust CVE-2024-12356 for complete remote access without authentication
PostgreSQL is the world's most advanced open-source database, powering an estimated 800,000+ organizations globally. Every application using libpq — including popular frameworks like Django, Rails, and Node.js pg — is potentially affected.
| Version Branch | Affected | Fixed In |
|---|---|---|
| PostgreSQL 17 | 17.0 – 17.2 | 17.3 |
| PostgreSQL 16 | 16.0 – 16.6 | 16.7 |
| PostgreSQL 15 | 15.0 – 15.10 | 15.11 |
| PostgreSQL 14 | 14.0 – 14.15 | 14.16 |
| PostgreSQL 13 | 13.0 – 13.18 | 13.19 |
Get a free security scan of your website in 60 seconds
Free Security Scan →