Researchers have uncovered a high-severity SQL injection vulnerability, CVE-2025-1094, affecting PostgreSQL’s interactive terminal tool, psql.
This flaw was identified during research into the exploitation of CVE-2024-12356, a remote code execution (RCE) vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products.
The discovery highlights the interconnected nature of these vulnerabilities, as successful exploitation of CVE-2024-12356 required leveraging CVE-2025-1094 in all tested scenarios.
PostgreSQL Terminal Tool Injection Vulnerability
CVE-2025-1094 arises from an incorrect assumption about the security of escaped untrusted input in PostgreSQL’s string escaping routines.
It was believed that properly escaped input could not lead to SQL injection attacks. However, when invalid UTF-8 characters are processed by psql, attackers can exploit this flaw to inject malicious SQL statements.
This vulnerability has a CVSS 3.1 base score of 8.1, indicating high severity. Attackers can exploit this vulnerability to execute arbitrary SQL statements and achieve arbitrary code execution (ACE) by leveraging psql’s meta-command functionality.
Meta-commands, identified by the exclamation mark (!), allow the execution of operating system shell commands directly from the interactive tool.
This vulnerability was found by Stephen Fewer, Principal Security Researcher at Rapid7. CVE-2025-1094 plays a critical role in enabling remote code execution via CVE-2024-12356.
BeyondTrust patched CVE-2024-12356 in December 2024, blocking its exploitation path and indirectly mitigating attacks involving CVE-2025-1094.
However, this patch did not address the root cause of CVE-2025-1094, leaving it as a zero-day vulnerability until Rapid7’s disclosure
The vulnerability affects all supported PostgreSQL versions prior to 17.3, 16.7, 15.11, 14.16 and 13.19.
The flaw allows attackers to prematurely terminate SQL statements and inject additional commands.
Exploitation can lead to significant risks, including unauthorized database access and full system compromise through shell command execution.
Mitigations
To mitigate CVE-2025-1094, PostgreSQL users should upgrade their installations to the latest patched versions:
- PostgreSQL 17.3
- PostgreSQL 16.7
- PostgreSQL 15.11
- PostgreSQL 14.16
- PostgreSQL 13.19
The PostgreSQL Global Development Group has issued advisories detailing the fixes and providing guidance on security practices.
A Metasploit module targeting CVE-2025-1094 has been developed, enabling exploitation against vulnerable BeyondTrust systems. This underscores the urgency for organizations to apply patches promptly.
Organizations using PostgreSQL should act swiftly to patch their systems and review their security protocols to prevent exploitation of such vulnerabilities in the future.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar