CVE-2025-1094
published 2025-02-13CVE-2025-1094: Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn()…
PriorityP186high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.47%
99.8th percentile
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | postgresql-13 | < postgresql-13 13.20-0+deb11u1 (bullseye) | postgresql-13 13.20-0+deb11u1 (bullseye) |
| debian | postgresql-15 | < postgresql-13 13.20-0+deb11u1 (bullseye) | postgresql-13 13.20-0+deb11u1 (bullseye) |
| debian | postgresql-17 | < postgresql-13 13.20-0+deb11u1 (bullseye) | postgresql-13 13.20-0+deb11u1 (bullseye) |
| linux | linux_kernel | >= 0 < 6.12.9-1 | 6.12.9-1 |
| linux | linux_kernel | >= 6.17.0 < 6.17.3 | 6.17.3 |
| msrc | azl3_postgresql_16.5-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_postgresql_16.7-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_postgresql_14.14-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_postgresql_14.16-1_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor PostgreSQL logs for repeated 'invalid byte sequence for encoding UTF8' errors, which may indicate active exploitation of CVE-2025-1094. ↗
- →Exploitation of CVE-2025-1094 in the BeyondTrust context was observed targeting the /nw WebSocket path on port 443, chained with CVE-2024-12356 argument injection. ↗
- →Successful exploitation of CVE-2024-12356 (BeyondTrust RCE) requires chaining with CVE-2025-1094 SQL injection; detection of CVE-2024-12356 exploitation attempts should also check for PostgreSQL SQLi indicators. ↗
- →CVE-2025-1094 is exploitable when client_encoding is BIG5 and server_encoding is EUC_TW or MULE_INTERNAL; audit PostgreSQL encoding configurations for these combinations as a high-risk indicator. ↗
- →The psql meta-command '\!' enables shell command execution; monitor for psql sessions invoking this meta-command with untrusted or externally-sourced input. ↗
- →A public Metasploit module exists for unauthenticated RCE against BeyondTrust PRA/RS (targeting versions 24.3.1 and below) leveraging this vulnerability chain; expect weaponized exploitation attempts. ↗
- ·CVE-2025-1094 SQL injection is only exploitable when the application passes escaped output to psql (the interactive terminal); applications using parameterized queries or ORMs are not affected. ↗
- ·The encoding-based attack vector is specifically scoped to client_encoding=BIG5 with server_encoding of EUC_TW or MULE_INTERNAL; other encoding combinations are not affected by this specific vector. ↗
- ·BeyondTrust's patch for CVE-2024-12356 does not fix the root cause of CVE-2025-1094, but does prevent exploitation of both vulnerabilities due to additional input sanitization; PostgreSQL must be patched separately. ↗
- ·Red Hat Enterprise Linux 10 packages (libpq and postgresql16) are listed as Not Affected for CVE-2025-1094. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv8.1HIGH
vulncheck9.8CRITICAL
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
LoongArch: BPF: No support of struct argument in trampoline programs
osv·2025-11-12
CVE-2025-40151 LoongArch: BPF: No support of struct argument in trampoline programs
LoongArch: BPF: No support of struct argument in trampoline programs
In the Linux kernel, the following vulnerability has been resolved:
LoongArch: BPF: No support of struct argument in trampoline programs
The current implementation does not support struct argument. This causes
a oops when running bpf selftest:
$ ./test_progs -a tracing_struct
Oops[#1]:
CPU -1 Unable to handle kernel paging request at virtual address 0000000000000018, era == 9000000085bef268, ra == 90000000844f3938
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 1-...0: (19 ticks this GP) idle=1094/1/0x4000000000000000 softirq=1380/1382 fqs=801
rcu: (detected by 0, t=5252 jiffies, g=1197, q=52 ncpus=4)
Sending NMI from CPU 0 to CPUs 1:
rcu: rcu_preempt kthread starved for 2495 jiffies! g1197 f0x0 RCU_GP_DOIN
OSV
CVE-2025-1094: Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringC
osv·2025-02-13·CVSS 8.1
CVE-2025-1094 [HIGH] CVE-2025-1094: Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringC
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
GHSA
GHSA-mhw9-x46c-v6q4: Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringC
ghsa_unreviewed·2025-02-13
CVE-2025-1094 [HIGH] CWE-149 GHSA-mhw9-x46c-v6q4: Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringC
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
OSV
CVE-2025-21630: In the Linux kernel, the following vulnerability has been resolved:
io_uring/net: always initialize kmsg->msg
osv·2025-01-15
CVE-2025-21630 CVE-2025-21630: In the Linux kernel, the following vulnerability has been resolved:
io_uring/net: always initialize kmsg->msg
In the Linux kernel, the following vulnerability has been resolved:
io_uring/net: always initialize kmsg->msg.msg_inq upfront
syzbot reports that ->msg_inq may get used uinitialized from the
following path:
BUG: KMSAN: uninit-value in io_recv_buf_select io_uring/net.c:1094 [inline]
BUG: KMSAN: uninit-value in io_recv+0x930/0x1f90 io_uring/net.c:1158
io_recv_buf_select io_uring/net.c:1094 [inline]
io_recv+0x930/0x1f90 io_uring/net.c:1158
io_issue_sqe+0x420/0x2130 io_uring/io_uring.c:1740
io_queue_sqe io_uring/io_uring.c:1950 [inline]
io_req_task_submit+0xfa/0x1d0 io_uring/io_uring.c:1374
io_handle_tw_list+0x55f/0x5c0 io_uring/io_uring.c:1057
tctx_task_work_run+0x109/0x3e0 io_uring/io_uring.c:1121
tctx_task_work+0x6d/0xc0 io_uring/io_uring.c:1139
task_work_run+0x268/0x310 kernel/task_work
VulnCheck
PostgreSQL Quoting APIs SQL Injection Vulnerability
vulncheck·2025·CVSS 8.1
CVE-2025-1094 [HIGH] PostgreSQL Quoting APIs SQL Injection Vulnerability
PostgreSQL Quoting APIs SQL Injection Vulnerability
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Affected: PostgreSQL.org PostgreSQL
VulnCheck
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-12356 [CRITICAL] CWE-77 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site user.
Affected: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS)
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/; https://insights.nccgroup.com/l/898251/2025-01-24/31knsst/898251/1
Ubuntu
PostgreSQL vulnerability
vendor_ubuntu·2025-04-30
CVE-2025-1094 PostgreSQL vulnerability
Title: PostgreSQL vulnerability
Summary: PostgreSQL could be made to execute arbitrary code if it received specially
crafted input.
USN-7315-1 fixed a vulnerability in PostgreSQL. This update provides the
corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Stephen Fewer discovered that PostgreSQL incorrectly handled quoting
syntax in certain scenarios. A remote attacker could possibly use this
issue to perform SQL injection attacks.
Instructions: After a standard system update you need to restart PostgreSQL to make all
the necessary changes.
Ubuntu
PostgreSQL vulnerability
vendor_ubuntu·2025-03-03
CVE-2025-1094 PostgreSQL vulnerability
Title: PostgreSQL vulnerability
Summary: PostgreSQL could be made to execute arbitrary code if it received specially
crafted input.
Stephen Fewer discovered that PostgreSQL incorrectly handled quoting syntax
in certain scenarios. A remote attacker could possibly use this issue to
perform SQL injection attacks.
Instructions: This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
Red Hat
postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
vendor_redhat·2025-02-13·CVSS 8.1
CVE-2025-1094 [HIGH] CWE-149 postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and
Microsoft
PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
vendor_msrc·2025-02-11·CVSS 8.1
CVE-2025-1094 [HIGH] CWE-149 PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
PostgreSQL: PostgreSQL
Customer Action Required: Yes
Remediati
Debian
CVE-2025-1094: postgresql-13 - Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescape...
vendor_debian·2025·CVSS 8.1
CVE-2025-1094 [HIGH] CVE-2025-1094: postgresql-13 - Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescape...
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Scope: local
bullseye: resolved (fixed in 13.20-0+deb11u1)
Suricata
ET EXPLOIT PostgreSQL psql SQL Injection (CVE-2025-1094)
suricata·2025-02-18·CVSS 8.1
CVE-2025-1094 [HIGH] ET EXPLOIT PostgreSQL psql SQL Injection (CVE-2025-1094)
ET EXPLOIT PostgreSQL psql SQL Injection (CVE-2025-1094)
Rule: alert tcp any any -> $HOME_NET [$HTTP_PORTS,5432] (msg:"ET EXPLOIT PostgreSQL psql SQL Injection (CVE-2025-1094)"; flow:established,to_server; content:"|3b|"; content:"|5c 5c 21 20|"; fast_pattern; distance:0; reference:url,www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/; reference:cve,2025-1094; classtype:attempted-admin; sid:2060144; rev:3; metadata:affected_product PostgreSQL, attack_target Server, created_at 2025_02_18, cve CVE_2025_1094, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_03_04, reviewed_at 2025_08_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_
Greynoiseio
Reconnaissance Has Begun for the New BeyondTrust RCE (CVE-2026-1731): Here's What We See So Far
blogs_greynoiseio·2026-02-12·CVSS 9.9
[CRITICAL] Reconnaissance Has Begun for the New BeyondTrust RCE (CVE-2026-1731): Here's What We See So Far
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
BeyondTrust warns of pre-auth RCE in Remote Support software
blogs_bleepingcomputer·2025-06-18·CVSS 8.6
[HIGH] BeyondTrust warns of pre-auth RCE in Remote Support software
## BeyondTrust warns of pre-auth RCE in Remote Support software
## Sergiu Gatlan
BeyondTrust has released security updates to fix a high-severity flaw in its Remote Support (RS) and Privileged Remote Access (PRA) solutions that can let unauthenticated attackers gain remote code execution on vulnerable servers.
Remote Support is BeyondTrust's enterprise-grade remote support solution that helps IT support teams troubleshoot issues by remotely connecting to systems and devices, while Privileged Remote Access acts as a secure gateway and ensures that users can only access the specific systems and resources they're authorized to use.
Tracked as CVE-2025-5309, this Server-Side Template Injection vulnerability was discovered by Jorren Geurts of Resillion in the chat feature of BeyondTrust RS/
Bleepingcomputer
PostgreSQL flaw exploited as zero-day in BeyondTrust breach
blogs_bleepingcomputer·2025-02-14·CVSS 9.8
CVE-2024-12356 [CRITICAL] PostgreSQL flaw exploited as zero-day in BeyondTrust breach
## PostgreSQL flaw exploited as zero-day in BeyondTrust breach
## Sergiu Gatlan
Rapid7's vulnerability research team says attackers exploited a PostgreSQL security flaw as a zero-day to breach the network of privileged access management company BeyondTrust in December.
BeyondTrust revealed that attackers breached its systems and 17 Remote Support SaaS instances in early December using two zero-day bugs (CVE-2024-12356 and CVE-2024-12686) and a stolen API key.
Less than one month later, in early January, the U.S. Treasury Department disclosed that its network was breached by threat actors who used a stolen Remote Support SaaS API key to compromise its BeyondTrust instance.
Since then, the Treasury breach has been linked to Chinese state-backed hackers tracked as Silk Typhoon, a cyber-
https://www.postgresql.org/support/security/CVE-2025-1094/http://www.openwall.com/lists/oss-security/2025/02/16/3http://www.openwall.com/lists/oss-security/2025/02/20/1https://lists.debian.org/debian-lts-announce/2025/02/msg00015.htmlhttps://lists.debian.org/debian-lts-announce/2025/02/msg00024.htmlhttps://security.netapp.com/advisory/ntap-20250221-0010/
2025-02-13
Published
Exploited in the wild