SQL injection vulnerability discovered with high severity by Rapid7

Rapid7, a leading cybersecurity company, has announced the discovery of a high-severity SQL injection vulnerability, CVE-2025-1094, affecting the PostgreSQL interactive tool, psql. This vulnerability, which has a CVSS 3.1 base score of 8.1 (High), can potentially allow an attacker to execute arbitrary SQL statements and achieve arbitrary code execution.

The vulnerability arises from an incorrect assumption that when attacker-controlled untrusted input has been safely escaped via PostgreSQL's string escaping routines, it cannot be leveraged to generate a successful SQL injection attack. This assumption has been proven wrong, as an attacker can generate a SQL injection via CVE-2025-1094.

The meta-command, identified by the exclamation mark symbol, allows for an operating system shell command to be executed. An attacker who generates a SQL injection via CVE-2025-1094 can leverage this meta-command to control the operating system shell command that is executed.

All supported versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected by CVE-2025-1094. To remediate this vulnerability, PostgreSQL users should upgrade to PostgreSQL 17.3, 16.7, 15.11, 14.16, or 13.19.

The discovery of CVE-2025-1094 was made during research into the exploitation of CVE-2024-12356, an unauthenticated remote code execution vulnerability affecting BeyondTrust privileged remote access and BeyondTrust remote support. However, it's important to note that BeyondTrust patched CVE-2024-12356 in December 2024, but the patch did not address the root cause of CVE-2025-1094, which remained a zero-day until Rapid7 discovered and reported it to PostgreSQL.

For additional details, users are advised to refer to the PostgreSQL advisory. The disclosure of CVE-2025-1094 was made in accordance with Rapid7's vulnerability disclosure policy. The discovery was made by Stephen Fewer, principal security researcher at Rapid7.

It's crucial for users to prioritise the upgrade to the affected versions to mitigate the risks associated with CVE-2025-1094. By doing so, they can ensure the security of their PostgreSQL databases and protect them from potential attacks.