Overview
In a recent security announcement, NSFOCUS CERT has identified a significant SQL injection vulnerability in PostgreSQL, designated as CVE-2025-1094, which carries a CVSS score of 8.1. This vulnerability arises from the psql tool’s handling of invalid UTF-8 characters, which can inadvertently lead to SQL statement segmentation. Unauthenticated attackers can exploit this flaw by crafting specific inputs, allowing them to execute arbitrary code through the PostgreSQL interactive terminal, psql. The details of this vulnerability, along with proof of concept (PoC) exploits, have been disclosed and are currently in circulation. Users are urged to implement protective measures promptly.
PostgreSQL stands out as a robust, flexible, and customizable open-source relational database management system (RDBMS), compatible with a variety of operating systems including Windows, Linux, UNIX, Mac OS X, and BSD.
For further information, please refer to the official announcement: PostgreSQL Security Announcement.
Scope of Impact
Affected versions:
- 17 <= PostgreSQL < 17.3
- 16 <= PostgreSQL < 16.7
- 15 <= PostgreSQL < 15.11
- 14 <= PostgreSQL < 14.16
- 13 <= PostgreSQL < 13.19
Unaffected versions:
- PostgreSQL >= 17.3
- PostgreSQL >= 16.7
- PostgreSQL >= 15.11
- PostgreSQL >= 14.16
- PostgreSQL >= 13.19
Detection
Users can determine if their PostgreSQL version is affected by executing the following command:
SQL query:
Mitigation
Official upgrade:
A new version has been released to address this vulnerability. Affected users are strongly encouraged to upgrade as soon as possible. The download link can be found here: PostgreSQL Download.
Temporary measures:
If an immediate upgrade is not feasible, users may consider the following temporary solutions:
- Verify UTF-8 encoding: Cleanse any input containing invalid UTF-8 sequences before passing it to psql.
- Avoid dynamic SQL: Utilize parameterized queries or an ORM framework to minimize direct usage of original input in psql.
- Restrict access permissions: Limit psql tool access to a whitelist, ensuring that essential services remain unaffected.
Statement
This advisory serves to outline a potential risk. NSFOCUS does not assume any responsibility or liability for any direct or indirect consequences resulting from the dissemination or use of this advisory. All rights to modify and interpret this advisory are reserved by NSFOCUS. When reproducing or distributing this advisory, please include this statement without alterations.
About NSFOCUS
NSFOCUS is a leading figure in the cybersecurity landscape, committed to protecting telecommunications, Internet service providers, hosting providers, and enterprises from advanced cyber threats. Established in 2000, NSFOCUS operates on a global scale with over 4,000 employees across two headquarters in Beijing, China, and Santa Clara, CA, USA, along with more than 50 offices worldwide. The company has a proven history of safeguarding over 25% of the Fortune Global 500, including four of the five largest banks and six of the top ten telecommunications companies globally.
With a focus on technical innovation, NSFOCUS offers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOCs, DDoS Protection, Continuous Threat Exposure Management (CTEM) Services, and Web Application and API Protection (WAAP). These solutions are enhanced by the Security Large Language Model (SecLLM), machine learning, patented algorithms, and other cutting-edge research developed by NSFOCUS.
