Summary: Rapid7 researchers have identified a high-severity SQL injection vulnerability (CVE-2025-1094) in PostgreSQL’s interactive tool, psql, which allows attackers to execute arbitrary code on affected systems. This vulnerability is linked to how PostgreSQL handles invalid UTF-8 characters alongside its string escaping routines. PostgreSQL users are strongly advised to upgrade to the latest patched versions to mitigate this threat.
Affected: PostgreSQL
Keypoints :
- Vulnerability CVE-2025-1094 enables SQL injection through incorrectly assumed safe input handling.
- Exploitation allows arbitrary code execution using the ! meta-command in psql.
- All supported versions of PostgreSQL prior to 17.3, 16.7, 15.11, 14.16, and 13.19 are vulnerable.
- Immediate measures include upgrading PostgreSQL and restricting access to the psql tool.
- Detailed analysis and testing modules are available through Rapid7’s AttackerKB platform.