cbcvebase.
CVE-2025-1094
published 2025-02-13

CVE-2025-1094: Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn()…

PriorityP186high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.47%
99.8th percentile
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianpostgresql-13< postgresql-13 13.20-0+deb11u1 (bullseye)postgresql-13 13.20-0+deb11u1 (bullseye)
debianpostgresql-15< postgresql-13 13.20-0+deb11u1 (bullseye)postgresql-13 13.20-0+deb11u1 (bullseye)
debianpostgresql-17< postgresql-13 13.20-0+deb11u1 (bullseye)postgresql-13 13.20-0+deb11u1 (bullseye)
linuxlinux_kernel>= 0 < 6.12.9-16.12.9-1
linuxlinux_kernel>= 6.17.0 < 6.17.36.17.3
msrcazl3_postgresql_16.5-2_on_azure_linux_3.0
msrcazl3_postgresql_16.7-1_on_azure_linux_3.0
msrccbl2_postgresql_14.14-1_on_cbl_mariner_2.0
msrccbl2_postgresql_14.16-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

command\!
  • Monitor PostgreSQL logs for repeated 'invalid byte sequence for encoding UTF8' errors, which may indicate active exploitation of CVE-2025-1094.
  • Exploitation of CVE-2025-1094 in the BeyondTrust context was observed targeting the /nw WebSocket path on port 443, chained with CVE-2024-12356 argument injection.
  • Successful exploitation of CVE-2024-12356 (BeyondTrust RCE) requires chaining with CVE-2025-1094 SQL injection; detection of CVE-2024-12356 exploitation attempts should also check for PostgreSQL SQLi indicators.
  • CVE-2025-1094 is exploitable when client_encoding is BIG5 and server_encoding is EUC_TW or MULE_INTERNAL; audit PostgreSQL encoding configurations for these combinations as a high-risk indicator.
  • The psql meta-command '\!' enables shell command execution; monitor for psql sessions invoking this meta-command with untrusted or externally-sourced input.
  • A public Metasploit module exists for unauthenticated RCE against BeyondTrust PRA/RS (targeting versions 24.3.1 and below) leveraging this vulnerability chain; expect weaponized exploitation attempts.
  • ·CVE-2025-1094 SQL injection is only exploitable when the application passes escaped output to psql (the interactive terminal); applications using parameterized queries or ORMs are not affected.
  • ·The encoding-based attack vector is specifically scoped to client_encoding=BIG5 with server_encoding of EUC_TW or MULE_INTERNAL; other encoding combinations are not affected by this specific vector.
  • ·BeyondTrust's patch for CVE-2024-12356 does not fix the root cause of CVE-2025-1094, but does prevent exploitation of both vulnerabilities due to additional input sanitization; PostgreSQL must be patched separately.
  • ·Red Hat Enterprise Linux 10 packages (libpq and postgresql16) are listed as Not Affected for CVE-2025-1094.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv8.1HIGH
vulncheck9.8CRITICAL
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.