The PostgreSQL Global Development Group has swiftly rolled out emergency security updates for all supported versions, addressing three critical vulnerabilities that could allow attackers to execute arbitrary code during database restoration processes. These vulnerabilities impact PostgreSQL versions 13 through 17, with patches now available in versions 17.6, 16.10, 15.14, 14.19, and 13.22.
Among the identified security flaws, two stand out due to their severe implications for organizations that depend on PostgreSQL’s backup and restoration functionalities.
Key Takeaways
1. Attackers can inject and execute arbitrary code during restoration via pg_dump flaws.
2. Optimizer statistics bug lets unauthorized users access restricted data.
3. Upgrade to latest versions immediately to mitigate these risks.
These vulnerabilities exploit the pg_dump utility, a fundamental tool for database backups, transforming routine maintenance tasks into potential attack vectors.
Malicious Superuser Code Injection Flaw
The most critical vulnerability, tracked as CVE-2025-8714 and rated with a CVSS score of 8.8, allows malicious superusers on origin servers to inject arbitrary code that executes during restoration. This vulnerability takes advantage of untrusted data inclusion in pg_dump, enabling attackers to embed harmful psql meta-commands within backup files.
When administrators restore these compromised backups using psql, the embedded commands execute with the privileges of the client operating system account performing the restoration. This attack methodology mirrors MySQL’s CVE-2024-21096, suggesting a broader trend of dump utility exploitation across various database platforms.
The vulnerability is not limited to the primary pg_dump utility; it also affects pg_dumpall for cluster-wide backups and pg_restore when generating plain-format dumps. Security researchers Martin Rakhmanov, Matthieu Denais, and RyotaK discovered and reported this critical flaw to the PostgreSQL project.
A second critical vulnerability, CVE-2025-8715, also scores 8.8 on the CVSS scale, exploiting improper neutralization of newlines in object names within pg_dump output. Attackers can create database objects with specially formatted names that contain embedded newline characters and psql meta-commands.
During restoration, these malicious object names can trigger code execution on both the client system running psql and potentially achieve SQL injection as a superuser on the target database server. This vulnerability represents a regression of security controls, as CVE-2012-0868 had previously addressed similar attack patterns before version 11.20 reintroduced the weakness.
This flaw impacts multiple PostgreSQL utilities, including pg_dumpall, pg_restore, and pg_upgrade, thereby expanding the potential attack surface across various database maintenance operations. Noah Misch, a PostgreSQL contributor, identified and reported this vulnerability.
CVE-2025-8713 addresses a more subtle yet significant information disclosure vulnerability affecting PostgreSQL’s optimizer statistics functionality. With a CVSS score of 3.1, this vulnerability permits users to access sampled data within views, partitions, or child tables that should be restricted by access control lists (ACLs) or row security policies.
| CVE | Title | CVSS v3.1 Score | Severity |
| CVE-2025-8714 | pg_dump lets superuser execute arbitrary code in psql client | 8.8 | High |
| CVE-2025-8715 | pg_dump newline in object name executes arbitrary code | 8.8 | High |
| CVE-2025-8713 | Optimizer statistics expose sampled data in restricted views | 3.1 | Low |
Immediate remediation requires upgrading to the fixed PostgreSQL versions: 17.6, 16.10, 15.14, 14.19, or 13.22, which were released on August 14, 2025. Organizations are advised to implement strict access controls for database administration tools, validate dumps from untrusted sources, and apply the principle of least privilege during restoration operations.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
