Rapid7 has unveiled a significant SQL injection vulnerability, identified as CVE-2025-1094, which poses a threat to the PostgreSQL interactive tool, psql. This discovery emerged during Rapid7’s investigation into another vulnerability, CVE-2024-12356, which allows unauthenticated remote code execution within BeyondTrust’s Privileged Remote Access and Remote Support solutions.
The relationship between these vulnerabilities is critical; exploiting CVE-2024-12356 necessitates the prior exploitation of CVE-2025-1094 to achieve remote code execution. Although BeyondTrust addressed CVE-2024-12356 in December 2024, the patch only mitigated the exploitation pathways without rectifying the underlying cause of CVE-2025-1094. Consequently, the root issue remained unresolved until Rapid7’s recent disclosure.
Vulnerability Details
All supported PostgreSQL versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19 are affected by this vulnerability, which carries a CVSS 3.1 base score of 8.1, indicating a high severity level. The vulnerability was discovered by Stephen Fewer, Principal Security Researcher at Rapid7, who noted that it stems from flawed assumptions regarding the security of escaped untrusted input within PostgreSQL’s string escaping routines.
When executed through the interactive psql tool, this escaped untrusted input can lead to SQL injection vulnerabilities. The root of the issue lies in how PostgreSQL’s string escaping routines manage invalid UTF-8 characters. When these invalid byte sequences are processed by psql, attackers can exploit CVE-2025-1094. This exploitation can facilitate arbitrary code execution via the interactive tool’s meta-command feature, which has the capability to execute operating system shell commands under specific conditions.
Moreover, attackers can leverage this vulnerability to execute arbitrary SQL statements controlled by them, thereby significantly amplifying the threat it presents.
To mitigate the risks associated with CVE-2025-1094, PostgreSQL users are strongly advised to upgrade to versions 17.3, 16.7, 15.11, 14.16, or 13.19. Comprehensive details can be found in the PostgreSQL advisory.
Additionally, a Metasploit exploit module targeting CVE-2025-1094 against vulnerable BeyondTrust systems is now available, providing a straightforward avenue for exploitation.
This disclosure aligns with Rapid7’s vulnerability disclosure policy, with relevant information and timelines shared in collaboration with the PostgreSQL development group. For further assistance and details regarding security vulnerability reporting and resolutions, users can refer to the official support channels provided by the PostgreSQL Global Development Group.
