CVE-2025-1094

Public on 2025-02-13
Modified on 2025-02-18
Description
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Severity
Important severity
Important
CVSS v3 Base Score
8.1
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Postgresql13 Extra libpq 2025-03-03 ALAS2POSTGRESQL13-2025-010 Fixed
Amazon Linux 2 - Postgresql14 Extra libpq 2025-03-03 ALAS2POSTGRESQL14-2025-017 Fixed
Amazon Linux 2023 libpq 2025-02-26 ALAS2023-2025-868 Fixed
Amazon Linux 2 - Core postgresql 2025-05-21 ALAS2-2025-2866 Fixed
Amazon Linux 2 - Postgresql13 Extra postgresql 2025-03-03 ALAS2POSTGRESQL13-2025-009 Fixed
Amazon Linux 2 - Postgresql14 Extra postgresql 2025-03-03 ALAS2POSTGRESQL14-2025-016 Fixed
Amazon Linux 2023 postgresql15 2025-02-26 ALAS2023-2025-869 Fixed
Amazon Linux 2023 postgresql16 2025-02-26 ALAS2023-2025-870 Fixed
Amazon Linux 1 postgresql8 No Fix Planned
Amazon Linux 1 postgresql92 No Fix Planned
Amazon Linux 1 postgresql93 No Fix Planned
Amazon Linux 1 postgresql94 No Fix Planned
Amazon Linux 1 postgresql95 No Fix Planned
Amazon Linux 1 postgresql96 No Fix Planned

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD CVSSv3 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2025-1094 Mitre: CVE-2025-1094