The PostgreSQL Global Development Group released emergency security updates on August 14, 2025, addressing three critical vulnerabilities that enable code injection attacks during database restoration processes.
The flaws affect all supported versions from PostgreSQL 13 through 17, requiring immediate patching across enterprise environments.
Dangerous Dump and Restore Vulnerabilities
Two severe code execution vulnerabilities, CVE-2025-8714 and CVE-2025-8715, exploit PostgreSQL’s pg_dump utility to inject malicious commands into backup files.
When these compromised dumps are restored using psql, attackers can execute arbitrary code on the target system with the privileges of the user running the restoration process.
CVE-2025-8714 allows malicious superusers to embed psql meta-commands within database dumps.
| CVE ID | CVSS Score | Impact | Affected Versions |
| CVE-2025-8714 | 8.8 | Arbitrary OS code execution via pg_dump meta-commands | 13-17 |
| CVE-2025-8715 | 8.8 | Code/SQL injection through newline handling in object names | 13-17 |
| CVE-2025-8713 | 3.1 | Data exposure via optimizer statistics | 13-17 |
During restoration, these commands execute on the client system, potentially compromising entire infrastructure pipelines. The attack leverages untrusted data inclusion in pg_dump, similar to MySQL’s CVE-2024-21096.
CVE-2025-8715 exploits improper newline handling in object names, enabling both client-side code execution and SQL injection on the target server.
This vulnerability reintroduces attack vectors that were supposedly fixed by CVE-2012-0868, demonstrating how security regressions can occur during routine maintenance updates.
The third vulnerability, CVE-2025-8713, exposes sensitive data through PostgreSQL’s optimizer statistics system.
Attackers can craft malicious operators to bypass view access controls and row-level security policies, accessing sampled data that should remain hidden.
Organizations must upgrade to PostgreSQL versions 17.6, 16.10, 15.14, 14.19, or 13.22 immediately.
The vulnerabilities are particularly dangerous in DevOps environments where automated backup restoration occurs regularly, as compromised dumps can execute with elevated system privileges.
Cloud providers have already begun emergency fleet updates, with several disabling customer-initiated logical restore operations until tenant clusters are verified as patched.
Development teams should audit their CI/CD pipelines for pg_dump usage and implement additional validation steps for backup files.
The PostgreSQL project credits Martin Rakhmanov, Matthieu Denais, RyotaK, Noah Misch, and Dean Rasheed for responsible disclosure of these vulnerabilities.
With PostgreSQL 13 reaching end-of-life on November 13, 2025, organizations should prioritize migration to supported versions.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
