CVE-2025-1094: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
First published: Thu Feb 13 2025(Updated: )
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Credit: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PostgreSQL | <17.3<16.7<15.11<14.16<13.19 | |
| debian/postgresql-13 | <=13.16-0+deb11u1 | 13.20-0+deb11u1 |
| debian/postgresql-15 | <=15.10-0+deb12u1 | |
| debian/postgresql-17 | 17.4-1 | |
| F5 BIG-IP Next Central Manager |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/postgresql-flaw-exploited-as-zero-day-in-beyondtrust-breach/
- https://www.theregister.com/2025/02/14/postgresql_bug_treasury/
- https://www.postgresql.org/support/security/CVE-2025-1094/
- http://www.openwall.com/lists/oss-security/2025/02/16/3
- http://www.openwall.com/lists/oss-security/2025/02/20/1
- https://lists.debian.org/debian-lts-announce/2025/02/msg00015.html
- https://lists.debian.org/debian-lts-announce/2025/02/msg00024.html
- https://security.netapp.com/advisory/ntap-20250221-0010/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1094
- https://nvd.nist.gov/vuln/detail/CVE-2025-1094
- https://launchpad.net/bugs/cve/CVE-2025-1094
- https://security-tracker.debian.org/tracker/CVE-2025-1094
- https://ubuntu.com/security/CVE-2025-1094
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=7d43ca6fe068015b403ffa1762f4df4efdf68b69
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=61ad93cdd48ecc8c6edf943f4d888a9325b66882
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=43a77239d412db194a69b18b7850580e3b78218f
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=02d4d87ac20e2698b5375b347c451c55045e388d
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=dd3c1eb38e9add293f8be59b6aec7574e8584bdb
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=05abb0f8303a78921f7113bee1d72586142df99e
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=85c1fcc6563843d7ee7ae6f81f29ef813e77a4b6
- https://www.openwall.com/lists/oss-security/2025/02/16/3
- https://www.postgresql.org/about/news/postgresql-174-168-1512-1417-and-1320-released-3018/
- https://my.f5.com/manage/s/article/K000150744
- https://access.redhat.com/errata/RHSA-2025:1720
- https://access.redhat.com/errata/RHSA-2025:1725
- https://access.redhat.com/errata/RHSA-2025:1722
- https://access.redhat.com/errata/RHSA-2025:1721
- https://access.redhat.com/errata/RHSA-2025:1728
- https://access.redhat.com/errata/RHSA-2025:1723
- https://access.redhat.com/errata/RHSA-2025:1724
- https://access.redhat.com/errata/RHSA-2025:1733
- https://access.redhat.com/errata/RHSA-2025:1729
- https://access.redhat.com/errata/RHSA-2025:1732
- https://access.redhat.com/errata/RHSA-2025:1726
- https://access.redhat.com/errata/RHSA-2025:1727
- https://access.redhat.com/errata/RHSA-2025:1730
- https://access.redhat.com/errata/RHSA-2025:1731
- https://access.redhat.com/errata/RHSA-2025:1735
- https://access.redhat.com/errata/RHSA-2025:1738
- https://access.redhat.com/errata/RHSA-2025:1736
- https://access.redhat.com/errata/RHSA-2025:1737
- https://access.redhat.com/errata/RHSA-2025:1742
- https://access.redhat.com/errata/RHSA-2025:1743
- https://access.redhat.com/errata/RHSA-2025:1741
- https://access.redhat.com/errata/RHSA-2025:1740
- https://access.redhat.com/errata/RHSA-2025:1744
- https://access.redhat.com/errata/RHSA-2025:1739
- https://access.redhat.com/errata/RHSA-2025:1745
- https://access.redhat.com/errata/RHSA-2025:3050
- https://access.redhat.com/errata/RHSA-2025:3062
- https://access.redhat.com/errata/RHSA-2025:3063
- https://access.redhat.com/errata/RHSA-2025:3064
- https://access.redhat.com/errata/RHSA-2025:3082
- https://access.redhat.com/errata/RHSA-2025:3978
- https://bugzilla.redhat.com/show_bug.cgi?id=2345548
Frequently Asked Questions
What is the severity of CVE-2025-1094?
CVE-2025-1094 is classified as a high-severity vulnerability due to its potential for SQL injection exploitation.
How do I fix CVE-2025-1094?
To mitigate CVE-2025-1094, it is recommended to upgrade PostgreSQL to versions 17.3, 16.7, 15.11, 14.16, or 13.19 or later.
What types of functions are affected by CVE-2025-1094?
CVE-2025-1094 affects the PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() functions in PostgreSQL.
Who is affected by CVE-2025-1094?
Users of PostgreSQL versions below 17.3, 16.7, 15.11, 14.16, and 13.19 are potentially affected by CVE-2025-1094.
What is SQL injection in the context of CVE-2025-1094?
In the context of CVE-2025-1094, SQL injection allows attackers to manipulate queries through improperly sanitized inputs in PostgreSQL libpq functions.
- agent/author
- agent/type
- agent/title
- agent/first-publish-date
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-12356
- alias/CVE-2024-12686
- alias/CVE-2025-1094
- collector/the-register
- source/The Register
- agent/news-ai
- zeroday/true
- exploited/true
- collector/oss-sec
- source/oss-sec
- agent/weakness
- collector/nvd-api
- source/NVD
- collector/usn-cve
- source/Ubuntu
- agent/guess-ai
- agent/software-canonical-lookup
- collector/nvd-cve
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/source
- agent/references
- agent/description
- collector/f5-advisory
- source/F5
- agent/trending
- agent/softwarecombine
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- vendor/postgresql
- canonical/postgresql
- package-manager/debian
- vendor/f5
- canonical/f5 big-ip next central manager