CVE-2025-12967: 
Python vulnerability analysis and mitigation

An issue in AWS Wrappers for Amazon Aurora PostgreSQL (CVE-2025-12967) was discovered that affects multiple AWS database connectors. The vulnerability was disclosed on November 10, 2025, affecting AWS JDBC Wrapper (<2.6.5), AWS Go Wrapper (<2025-10-17), AWS NodeJS Wrapper (<2.0.1), AWS Python Wrapper (<1.4.0), and AWS PGSQL ODBC driver (<1.0.1). The vulnerability was reported by security researcher Allistair Ishmael Hakim (AWS Security Bulletin).

The vulnerability exists due to unqualified PostgreSQL function calls in SQL queries. The CVSS score is 8.0 (High) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The issue is classified as CWE-470 (Use of Externally-Controlled Input to Select Classes or Code). The vulnerability occurs because the AWS Wrappers construct and execute SQL queries that call PostgreSQL functions without explicitly specifying the pg_catalog schema (Miggo Analysis).

A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users, potentially leading to privilege escalation to rds_superuser role. This could allow unauthorized access to sensitive database operations and data (AWS Security Bulletin).

AWS recommends upgrading to the following patched versions: AWS JDBC Wrapper to v2.6.5, AWS Go Wrapper to 2025-10-17, AWS NodeJS Wrapper to v2.0.1, AWS Python Wrapper to v1.4.0, and AWS PGSQL ODBC driver to v1.0.1. As a workaround, users can remove the public schema from the search path (AWS Security Bulletin).