Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-1094 — Improper Neutralization of Quoting Syntax in Postgresql-13

CWE-149 — Improper Neutralization of Quoting Syntax CWE-77 — Command Injection18 documents12 sources

Severity

8.1HIGHNVD

VulnCheck9.8

EPSS

83.1%

top 0.74%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Linux Kernel Debian Postgresql-13 Debian Postgresql-15 +5 more

Timeline

PublishedFeb 13

Latest updateFeb 12

Description

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source o…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages9 packages

▶debiandebian/postgresql-13< postgresql-13 13.20-0+deb11u1 (bullseye)

▶debiandebian/postgresql-15< postgresql-13 13.20-0+deb11u1 (bullseye)

▶debiandebian/postgresql-17< postgresql-13 13.20-0+deb11u1 (bullseye)

▶msrcmsrc/azl3_postgresql_16.5-2_on_azure_linux_3.0

▶msrcmsrc/azl3_postgresql_16.7-1_on_azure_linux_3.0

🔴Vulnerability Details

OSV

LoongArch: BPF: No support of struct argument in trampoline programs↗2025-11-12

▶

OSV

CVE-2025-1094: Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringC↗2025-02-13

▶

GHSA

GHSA-mhw9-x46c-v6q4: Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringC↗2025-02-13

▶

OSV

CVE-2025-21630: In the Linux kernel, the following vulnerability has been resolved: io_uring/net: always initialize kmsg->msg↗2025-01-15

▶

VulnCheck

PostgreSQL Quoting APIs SQL Injection Vulnerability↗2025

▶

💥Exploits & PoCs

Metasploit

BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution↗

▶

🔍Detection Rules

Suricata

ET EXPLOIT PostgreSQL psql SQL Injection (CVE-2025-1094)↗2025-02-18

▶

📋Vendor Advisories

Ubuntu

PostgreSQL vulnerability↗2025-04-30

▶

Ubuntu

PostgreSQL vulnerability↗2025-03-03

▶

Red Hat

postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation↗2025-02-13

▶

Microsoft

PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation↗2025-02-11

▶

Debian

CVE-2025-1094: postgresql-13 - Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescape...↗2025

▶

🕵️Threat Intelligence

Greynoiseio

Reconnaissance Has Begun for the New BeyondTrust RCE (CVE-2026-1731): Here's What We See So Far↗2026-02-12

▶

Bleepingcomputer

BeyondTrust warns of pre-auth RCE in Remote Support software↗2025-06-18

▶

Bleepingcomputer

PostgreSQL flaw exploited as zero-day in BeyondTrust breach↗2025-02-14

▶