CVE-2025-1094: 
PostgreSQL vulnerability analysis and mitigation

CVE-2025-1094 is a high-severity SQL injection vulnerability affecting PostgreSQL's libpq functions (PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn()). The vulnerability was discovered by Stephen Fewer of Rapid7 and disclosed on February 13, 2025. It affects all PostgreSQL versions before 17.3, 16.7, 15.11, 14.16, and 13.19, with a CVSS 3.1 base score of 8.1 (High) (PostgreSQL Security, Rapid7 Blog).

The vulnerability arises from improper neutralization of quoting syntax when handling invalid UTF-8 characters in PostgreSQL's string escaping routines. The issue specifically manifests when escaped untrusted input is included as part of a SQL statement executed by the interactive psql tool. The vulnerability occurs due to an incorrect assumption that attacker-controlled untrusted input, when safely escaped via PostgreSQL's string escaping routines, cannot be leveraged for SQL injection attacks (Rapid7 Blog).

When successfully exploited, this vulnerability can lead to SQL injection attacks, potentially enabling arbitrary code execution (ACE) through the psql tool's meta-commands. An attacker can leverage the interactive tool's ability to run meta-commands, specifically using the exclamation mark symbol to execute operating system shell commands. Additionally, attackers can execute arbitrary SQL statements, potentially leading to unauthorized data access, modification, or denial of service (Rapid7 Blog, NetApp Security).

Users are advised to upgrade to PostgreSQL versions 17.3, 16.7, 15.11, 14.16, or 13.19 or later. However, it's important to note that the initial fix released on February 13, 2025, contained a regression that caused PQescapeLiteral and PQescapeIdentifier methods to ignore their length parameter. This regression was subsequently addressed in versions 17.4, 16.8, 15.12, 14.17, and 13.20 released on February 20, 2025 (OSS Security, Debian LTS).