PostgreSQL Terminal Tool Vulnerability Allows Remote Code Execution
Recently, cybersecurity researchers discovered a critical SQL injection vulnerability in PostgreSQL’s interactive terminal tool, psql. This vulnerability, identified as CVE-2025-1094, allows attackers to remotely execute arbitrary code.
This flaw was uncovered during the analysis of CVE-2024-12356, a remote code execution (RCE) vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products. Researchers found that these two vulnerabilities are interconnected: successful exploitation of CVE-2024-12356 required leveraging CVE-2025-1094.
This discovery highlights how vulnerabilities in different systems can be linked and how one flaw can serve as a stepping stone for exploiting another.
🔍 Technical Details of the Vulnerability
The CVE-2025-1094 vulnerability is caused by PostgreSQL’s incorrect assumption that escaped (formatted) input is secure. The developers believed that properly sanitized input could not lead to an SQL injection attack.
However, researchers found that when psql processes malformed UTF-8 characters, attackers can exploit this flaw to inject and execute malicious SQL queries.
Additionally, attackers can take advantage of psql meta-commands (!), which allow shell commands to be executed directly from the terminal. This significantly increases the risk, as an attacker could potentially gain full control over the system through PostgreSQL.
This vulnerability has received a CVSS 3.1 score of 8.1, indicating a high level of severity.
🎯 Affected PostgreSQL Versions
The CVE-2025-1094 vulnerability affects the following versions of PostgreSQL:
🚨 PostgreSQL 17.2 and earlier versions
🚨 PostgreSQL 16.6 and earlier versions
🚨 PostgreSQL 15.10 and earlier versions
🚨 PostgreSQL 14.15 and earlier versions
🚨 PostgreSQL 13.18 and earlier versions
Attackers can use this flaw to prematurely terminate SQL statements and insert additional malicious commands, leading to serious security threats:
✅ Unauthorized access to databases – Attackers can infiltrate PostgreSQL databases and steal sensitive information.
✅ Remote Code Execution (RCE) – By leveraging psql meta-commands, attackers can execute system-level commands.
✅ Full system compromise – If attackers execute commands with elevated privileges, they can gain complete control over the system.
⚠ Security Patch Issues
Although BeyondTrust released a patch for CVE-2024-12356 in December 2024, it did not fully address CVE-2025-1094. As a result, this vulnerability remained a zero-day threat until it was disclosed by Rapid7.
🛠 Fixes and Updates
To mitigate CVE-2025-1094, PostgreSQL has released the following security updates:
🔹 PostgreSQL 17.3
🔹 PostgreSQL 16.7
🔹 PostgreSQL 15.11
🔹 PostgreSQL 14.16
🔹 PostgreSQL 13.19
🔐 Mitigation Recommendations
✅ Update PostgreSQL immediately – Install the latest patched version from the official website or through system update tools.
✅ Restrict administrative privileges – Grant access only to necessary users.
✅ Implement SQL injection protection – Use Web Application Firewalls (WAF) or dedicated SQL injection detection tools.
✅ Disable psql meta-commands, if not required – Modify the .psqlrc file to restrict their use.
✅ Enable system monitoring – Regularly analyze logs for unusual command executions.
🚨 Conclusion
The CVE-2025-1094 vulnerability poses a serious threat as it allows remote code execution and is closely tied to CVE-2024-12356. Exploiting this BeyondTrust vulnerability would not be possible without leveraging this PostgreSQL flaw.
All PostgreSQL users must immediately update their systems, strengthen SQL injection protections, and restrict meta-command usage to prevent exploitation.
Cyber threats are becoming more complex, and vulnerabilities in widely used applications can lead to large-scale attacks. Regular software updates and enhanced security measures are crucial to safeguarding your systems! 🔒
