CVE-2025-1094: High vulnerability affects PostgreSQL

In recent days, a critical vulnerability (CVE-2025-1094) has been discovered in PostgreSQL that could compromise the integrity of databases in enterprise and production environments. This flaw allows a remote attacker to execute SQL injections by exploiting critical system functions such as PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() and PQescapeStringConn().

PostgreSQL is a widely used open source relational database management system. The CVE-2025-1094 vulnerability is due to improper neutralization of quoting syntax in various PostgreSQL command-line programs and functions, which would allow a database entry provider to achieve SQL injection in certain usage patterns. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

CVE-2025-1094 main features

The main characteristics of this vulnerability are detailed below.

• CVE Identifier: CVE-2025-1094.
• Publication date: 02/13/2025.
• Affected Software: PostgreSQL.
• CVSS Score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1 High).
• Affected versions:
  • PostgreSQL 17 (before v17.3).
  • PostgreSQL 16 (before v16.7).
  • PostgreSQL 15 (before v15.11).
  • PostgreSQL 14 (before v14.16).
  • PostgreSQL 13 (before v13.19).
• Operational requirements:
  • Using the PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), PQescapeStringConn() functions to construct inputs that are later used in psql.
• Using PostgreSQL command line programs with client_encoding BIG5 and server_encoding EUC_TW or MULE_INTERNAL.

Mitigación

The main solution is to urgently update the PostgreSQL component to the new available versions that correct this vulnerability:

• v17.3.
• v16.7.
• v15.11.
• v14.16.
• v13.19.

Additionally, it is recommended to review the encoding configurations on the affected systems, ensuring that the client_encoding BIG5 and server_encoding EUC_TW or MULE_INTERNAL values are not used, as they could facilitate the exploitation of the vulnerability.

The PostgreSQL Global Development Group has published a statement with official information and possible updates related to this vulnerability.

Vulnerability detection

The presence of the vulnerability can be identified through a proof of concept available on GitHub: PoC. It is a module that needs to be executed with Metasploit (linux/http/beyondtrust_pra_rs_unauth_rce).

As part of its emerging vulnerability service, Tarlogic Security proactively monitors its clients’ perimeter to urgently report, detect and notify the presence of this vulnerability, as well as other critical threats that could cause a serious impact on the security of their assets.

References:

• Exploit module for BeyondTrust Privileged Remote Access & Remote Support (CVE-2024-12356, CVE-2025-1094) by sfewer-r7 · Pull Request #19877 · rapid7/metasploit-framework · GitHub
• NVD – CVE-2025-1094
• metasploit-framework/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb at master · rapid7/metasploit-framework · GitHub