The PostgreSQL Global Development Group has issued emergency security updates across all supported versions to address three critical vulnerabilities that could allow attackers to execute arbitrary code during database restoration processes.
The vulnerabilities affect PostgreSQL versions 13 through 17, with patches released in versions 17.6, 16.10, 15.14, 14.19, and 13.22.
Among the three security flaws, two pose particularly severe risks to organizations relying on PostgreSQL backup and restoration procedures.
Key Takeaways
1. Attackers can inject and execute arbitrary code during restoration via pg_dump flaws.
2. Optimizer statistics bug lets unauthorized users access restricted data.
3. Upgrade to latest versions immediately to mitigate these risks.
These vulnerabilities exploit the pg_dump utility, a cornerstone tool for database backups, turning routine maintenance operations into potential attack vectors.
Malicious Superuser Code Injection Flaw
The most severe vulnerability, tracked as CVE-2025-8714 with a CVSS score of 8.8, enables malicious superusers on origin servers to inject arbitrary code that executes during restoration.
This attack vector exploits untrusted data inclusion in pg_dump, allowing attackers to embed malicious psql meta-commands within backup files.
When administrators restore these compromised backups using psql, the embedded commands execute with the privileges of the client operating system account performing the restoration.
The attack methodology bears similarities to MySQL’s CVE-2024-21096, indicating a broader pattern of dump utility exploitation across database platforms.
The vulnerability extends beyond the primary pg_dump utility, affecting pg_dumpall for cluster-wide backups and pg_restore when generating plain-format dumps.
Security researchers Martin Rakhmanov, Matthieu Denais, and RyotaK discovered and reported this critical flaw to the PostgreSQL project.
A second critical vulnerability, CVE-2025-8715, also scoring 8.8 on the CVSS scale, exploits improper neutralization of newlines in object names within pg_dump output.
Attackers can craft database objects with specially formatted names containing embedded newline characters and psql meta-commands.
During restoration, these malicious object names trigger code execution on both the client system running psql and potentially achieve SQL injection as a superuser on the target database server.
The vulnerability represents a regression of security controls, as CVE-2012-0868 had previously addressed similar attack patterns before version 11.20 reintroduced the weakness.
This flaw affects multiple PostgreSQL utilities, including pg_dumpall, pg_restore, and pg_upgrade, expanding the potential attack surface across various database maintenance operations.
Noah Misch, a PostgreSQL contributor, identified and reported this vulnerability.
CVE-2025-8713 addresses a more subtle but significant information disclosure vulnerability affecting PostgreSQL’s optimizer statistics functionality.
With a CVSS score of 3.1, this vulnerability allows users to access sampled data within views, partitions, or child tables that should be restricted by access control lists (ACLs) or row security policies.
| CVE | Title | CVSS v3.1 Score | Severity |
| CVE-2025-8714 | pg_dump lets superuser execute arbitrary code in psql client | 8.8 | High |
| CVE-2025-8715 | pg_dump newline in object name executes arbitrary code | 8.8 | High |
| CVE-2025-8713 | Optimizer statistics expose sampled data in restricted views | 3.1 | Low |
Immediate remediation requires upgrading to the fixed PostgreSQL versions: 17.6, 16.10, 15.14, 14.19, or 13.22, released on August 14, 2025.
Organizations should implement strict access controls for database administration tools, validate dumps from untrusted sources, and apply the principle of least privilege during restoration operations.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
