CVE-2025-1094 - PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
First Published: 2025/02/15
Last Updated: 2025/02/15
Important: This is an assessment of the impact of CVE-2025-1094 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.
Summary
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Vulnerability details
CVE-ID: CVE-2025-1094
CVSS Base Score: 8.1
CVSS Temporal Score: Undefined
CVSS Environmental Score: Undefined
CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products and versions
PostgreSQL
- All versions of PostgreSQL prior to 17.3
- All versions of PostgreSQL prior to 16.7
- All versions of PostgreSQL prior to 15.11
- All versions of PostgreSQL prior to 14.16
- All versions of PostgreSQL prior to 13.19
EnterpriseDB Postgres Advanced Server (EPAS)
- All versions of EPAS prior to 17.3.0
- All versions of EPAS prior to 16.7.0
- All versions of EPAS prior to 15.11.0
- All versions of EPAS prior to 14.16.0
- All versions of EPAS prior to 13.19.25
EnterpriseDB Postgres Extended
- All versions of PGE prior to 17.3
- All versions of PGE prior to 16.7
- All versions of PGE prior to 15.11
- All versions of PGE prior to 14.16
- All versions of PGE prior to 13.19
Remediation/fixes
The fix is included in the following versions: 17.3, 16.7, 15.11, 14.16, and 13.19.
PostgreSQL Version Information
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| All versions prior to 17.3 | 17.3 | 2025-01-13 |
| All versions prior to 16.3 | 16.7 | 2025-01-13 |
| All versions prior to 15.7 | 15.11 | 2025-01-13 |
| All versions prior to 14.12 | 14.16 | 2025-01-13 |
| All versions prior to 13.19 | 13.19 | 2025-01-13 |
EDB Postgres Extended Server
| Product | VRMF | Remediation/First Fix |
|---|---|---|
| EPAS | All versions prior to 17.3 | Update to version 17.3 or later |
| EPAS | All versions prior to 16.7 | Update to version 16.7 or later |
| EPAS | All versions prior to 15.11 | Update to version 15.11 or later |
| EPAS | All versions prior to 14.16 | Update to version 14.16 or later |
| EPAS | All versions prior to 13.19 | Update to version 13.19 or later |
EDB Postgres Advanced Server (EPAS)
| Product | VRMF | Remediation/First Fix |
|---|---|---|
| EPAS | All versions prior to 17.3.0 | Update to version 17.3.0 or later |
| EPAS | All versions prior to 16.7.0 | Update to version 16.7.0 or later |
| EPAS | All versions prior to 15.11.0 | Update to version 15.11.0 or later |
| EPAS | All versions prior to 14.16.0 | Update to version 14.16.0 or later |
| EPAS | All versions prior to 13.19.25 | Update to version 13.19.25 or later |
References
Related information
Acknowledgement
Source: PostgreSQL.org
Change history
15 Feb 2025: Original Copy Published
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
Could this page be better? Report a problem or suggest an addition!