Researchers from Rapid7 have unveiled a significant SQL injection vulnerability in PostgreSQL, designated as CVE-2025-1094. This flaw was identified during an investigation into the exploitation of another vulnerability, CVE-2024-12356, which had already been patched by BeyondTrust in December 2024. While the patch addressed the immediate threat posed by CVE-2024-12356, it did not rectify the underlying issue of CVE-2025-1094, allowing it to persist as a zero-day until Rapid7 brought it to the attention of PostgreSQL.
The investigation into the cyberattack against BeyondTrust revealed a chain of vulnerabilities, including CVE-2024-12356 and CVE-2024-12686, that were exploited to gain unauthorized access to Remote Support SaaS instances, notably affecting the Treasury Department.
“In every scenario we tested, a successful exploit for CVE-2024-12356 required the exploitation of CVE-2025-1094 to achieve remote code execution,” stated Rapid7 in their advisory. “While BeyondTrust’s patch effectively blocked exploitation of both vulnerabilities, it did not address the root cause of CVE-2025-1094, which remained unreported until our discovery.”
The vulnerability, with a CVSS score of 8.1, stems from improper handling of quoting syntax in PostgreSQL’s libpq functions, including PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn(). This issue arises when applications incorrectly utilize the output of these functions to construct queries in psql, PostgreSQL’s interactive terminal.
Versions of PostgreSQL prior to 17.3, 16.7, 15.11, 14.16, and 13.19 are vulnerable, potentially allowing attackers to inject malicious SQL commands. The exploitation of CVE-2025-1094 takes advantage of how PostgreSQL processes invalid UTF-8 characters, enabling SQL injection through psql. Attackers can execute arbitrary code by leveraging psql meta-commands, particularly the exclamation mark (!) command, which can run operating system shell commands, potentially granting full control over the system.
“The interaction between PostgreSQL’s string escaping routines and the processing of invalid byte sequences within invalid UTF-8 characters allows an attacker to generate a SQL injection,” the report elaborates. “Once an attacker can initiate a SQL injection via CVE-2025-1094, they can achieve arbitrary code execution by utilizing the interactive tool’s meta-command capabilities.”
PostgreSQL has since addressed this vulnerability with the release of the following versions:
- PostgreSQL 17.3
- PostgreSQL 16.7
- PostgreSQL 15.11
- PostgreSQL 14.16
- PostgreSQL 13.19
The discovery of this vulnerability was made by Stephen Fewer, a principal Security Researcher at Rapid7.
