Skip to main content

PostgreSQL CVE-2025-1094

HIGH
Improper Neutralization of Quoting Syntax (CWE-149)
2025-02-13 f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 04, 2026 - 20:30 nvd
Patch available
Analysis Generated
Mar 28, 2026 - 18:26 vuln.today
PoC Detected
Feb 21, 2025 - 18:15 vuln.today
Public exploit code
CVE Published
Feb 13, 2025 - 13:15 nvd
HIGH 8.1

DescriptionCVE.org

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

AnalysisAI

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperly neutralize quoting syntax, enabling SQL injection when function results are used to construct psql input. This vulnerability was used as the initial access vector in the BeyondTrust RS compromise chain.

Technical ContextAI

The libpq escape functions are designed to safely quote strings for SQL statements. However, they fail to properly handle certain quoting syntax patterns, allowing an attacker who controls a database input value to inject SQL when the escaped output is used to construct commands for the psql client. This is particularly dangerous in applications that pipe escaped values into psql for execution.

Affected ProductsAI

PostgreSQL libpq (all versions before patch) Applications using PQescapeLiteral/PQescapeIdentifier/PQescapeString/PQescapeStringConn with psql

RemediationAI

Update PostgreSQL to the latest patched version. Audit applications for patterns where libpq escape function outputs are passed to psql. Use parameterized queries instead of string escaping where possible. Review the BeyondTrust advisory chain for indicators of compromise.

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

CVE-2026-30860 CRITICAL POC
9.9 Mar 07

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database c

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/manager/5.0/x86_64/server-migration-14-16:5.0.4.7.14.1 Container suse/multi-linux-manager/5.1/x86_64/server-migration-14-16:5.1.0.6.27 Image server-database-migration-image Image server-migration-14-16-image Affected
Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1 Affected
Container suse/multi-linux-manager/5.1/x86_64/server-postgresql:5.1.2.6.13.1 Container suse/postgres:16.9-13.5 Affected
Container suse/multi-linux-manager/5.1/x86_64/server:5.1.0.6.40 Affected
Container suse/postgres:18.1-61.1 Affected

Share

CVE-2025-1094 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy