Researchers have identified a significant SQL injection vulnerability, designated as CVE-2025-1094, within PostgreSQL’s interactive terminal tool, psql. This discovery emerged during investigations into the exploitation of another vulnerability, CVE-2024-12356, which pertains to remote code execution (RCE) in BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) products.
The relationship between these vulnerabilities is noteworthy; successful exploitation of CVE-2024-12356 necessitated the use of CVE-2025-1094 in all scenarios tested, illustrating the intricate web of dependencies that can exist between security flaws.
PostgreSQL Terminal Tool Injection Vulnerability
CVE-2025-1094 stems from a flawed assumption regarding the security of escaped untrusted input within PostgreSQL’s string escaping routines. It was previously thought that properly escaped input would be immune to SQL injection attacks. However, the processing of invalid UTF-8 characters by psql allows attackers to exploit this vulnerability, injecting malicious SQL statements.
This vulnerability carries a CVSS 3.1 base score of 8.1, indicating a high level of severity. Attackers can leverage this flaw to execute arbitrary SQL statements and achieve arbitrary code execution (ACE) through psql’s meta-command functionality. These meta-commands, denoted by an exclamation mark (!), enable the execution of operating system shell commands directly from the interactive tool.
The vulnerability was discovered by Stephen Fewer, Principal Security Researcher at Rapid7. CVE-2025-1094 is pivotal in facilitating remote code execution via CVE-2024-12356. Although BeyondTrust issued a patch for CVE-2024-12356 in December 2024, effectively blocking its exploitation path, this fix did not address the underlying cause of CVE-2025-1094, leaving it as a zero-day vulnerability until Rapid7’s disclosure.
This flaw impacts all supported PostgreSQL versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19. Exploitation of CVE-2025-1094 can lead to severe risks, including unauthorized access to databases and potential full system compromise through shell command execution.
Mitigations
To mitigate the risks associated with CVE-2025-1094, PostgreSQL users are advised to upgrade to the latest patched versions:
- PostgreSQL 17.3
- PostgreSQL 16.7
- PostgreSQL 15.11
- PostgreSQL 14.16
- PostgreSQL 13.19
The PostgreSQL Global Development Group has released advisories outlining the fixes and offering guidance on best security practices. Additionally, a Metasploit module targeting CVE-2025-1094 has been developed, highlighting the urgency for organizations to implement patches without delay.
Organizations utilizing PostgreSQL should take immediate action to secure their systems and review their security protocols to prevent future exploitation of similar vulnerabilities.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
