Overview
Recently, NSFOCUS CERT detected that PostgreSQL has issued a security announcement and fixed the PostgreSQL SQL injection vulnerability (CVE-2025-1094), with a CVSS score of 8.1. Since the psql tool of PostgreSQL is used to detect invalid UTF-8 characters (such as hax\xC0′; \! id #), resulting in accidental segmentation of SQL statements, and unauthenticated attackers can execute arbitrary code using the PostgreSQL interactive terminal psql by constructing specially-crafted inputs to implement SQL injection. At present, the details of vulnerabilities and PoC have been disclosed and are found to be in use. Relevant users shall take measures for protection as soon as possible.
PostgreSQL is a powerful, flexible and customizable open-source relational database management system (RDBMS), which supports Windows, Linux, UNIX, Mac OS X, BSD and other operating systems.
Reference link: https://www.postgresql.org/support/security/CVE-2025-1094
Scope of Impact
Affected version
- 17 <= PostgreSQL < 17.3
- 16 <= PostgreSQL < 16.7
- 15 <= PostgreSQL < 15.11
- 14 <= PostgreSQL < 14.16
- 13 <= PostgreSQL < 13.19
Unaffected Version
- PostgreSQL >= 17.3
- PostgreSQL >= 16.7
- PostgreSQL >= 15.11
- PostgreSQL >= 14.16
- PostgreSQL >= 13.19
Detection
Relevant users can use the following command to check whether the currently used PostgreSQL version is within the influence range:
SQL query:
Mitigation
Official upgrade
A new version has been officially released to fix this vulnerability. Please upgrade the protection for affected users as soon as possible. The download link is https://www.postgresql.org/download
Temporary measure
If relevant users cannot perform the upgrade operation temporarily, the following measures can be taken for temporary relief:
1. Verify UTF-8 encoding: clean up the input containing invalid UTF-8 sequence before transferring to psql;
2. Avoid dynamic SQL: use parameterized query or ORM framework to minimize the direct psql usage of original input;
3. Restrict the access permission of psql tools to a whitelist without affecting services.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.
Founded in 2000, NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.
Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.
