You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: CVE-2025-1094 - PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
3
+
navTitle: CVE-2025-1094
4
+
affectedProducts: All versions of PostgreSQL, EPAS and PGE prior to 17.3, 16.7, 15.11, 14.16, and 13.19
5
+
---
6
+
7
+
First Published: 2025/02/15
8
+
9
+
Last Updated: 2025/02/15
10
+
11
+
Important: This is an assessment of the impact of CVE-2025-1094 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.
12
+
13
+
## Summary
14
+
15
+
Improper neutralization of quoting syntax in PostgreSQL libpq functions `PQescapeLiteral()`, `PQescapeIdentifier()`, `PQescapeString()`, and `PQescapeStringConn()` allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is `BIG5` and server_encoding is one of `EUC_TW` or `MULE_INTERNAL`. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
<h4>PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation</h4>
38
+
<h5> All versions of PostgreSQL, EPAS and PGE prior to 17.3, 16.7, 15.11, 14.16, and 13.19</h5>
38
39
</summary>
39
40
<hr/>
40
41
<em>Summary:</em>
41
-
The original vulnerability was an integer overflow leading to a heap-based buffer overflow in <code>UnicodeString::doAppend()</code> in ICU (International Components for Unicode) for C/C++ which existed up to (and including) version 66.1.
42
+
Improper neutralization of quoting syntax in PostgreSQL libpq functions <code>PQescapeLiteral()</code>, <code>PQescapeIdentifier()</code>, <code>PQescapeString()</code>, and <code>PQescapeStringConn()</code> allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is <code>BIG5</code> and server_encoding is one of <code>EUC_TW</code> or <code>MULE_INTERNAL</code>. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
<h4>PostgreSQL relation replacement during pg_dump executes arbitrary SQL</h4>
63
+
<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.4, 15.8, and 14.13</h5>
62
64
</summary>
63
65
<hr/>
64
66
<em>Summary:</em>
65
-
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
67
+
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
<h4>Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner</h4>
83
+
<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.3, 15.7, and 14.12</h5>
84
+
</summary>
85
+
<hr/>
86
+
<em>Summary:</em>
87
+
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
88
+
<br/>
89
+
<ahref="cve-2024-4317">Read More...</a>
90
+
</details></td></tr>
91
+
92
+
93
+
94
+
77
95
78
96
79
97
<tr><td>
@@ -95,39 +113,42 @@ pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using Prefe
<h5> PostgreSQL, EPAS all versions prior to 15.6.0,14.11.0,13.14.20 and 12.18.23, PGE all versions prior to 15.6.0</h5>
105
124
</summary>
106
125
<hr/>
107
126
<em>Summary:</em>
108
-
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
127
+
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
<h5> All versions of EDB Postgres Advanced Server from 13 through 16</h5>
124
144
</summary>
125
145
<hr/>
126
146
<em>Summary:</em>
127
-
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
147
+
The original vulnerability was an integer overflow leading to a heap-based buffer overflow in <code>UnicodeString::doAppend()</code> in ICU (International Components for Unicode) for C/C++ which existed up to (and including) version 66.1.
0 commit comments