CVE-2025-1520: 
JavaScript vulnerability analysis and mitigation

PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability (CVE-2025-1520) was discovered and disclosed on February 25, 2025. This vulnerability affects PostHog installations and requires authentication to exploit. The vulnerability was initially reported to the vendor on October 3, 2024, and was assigned a CVSS score of 7.1 (High) (ZDI Advisory, NVD).

The vulnerability exists within the implementation of the SQL parser in PostHog's ClickHouse functionality. The specific flaw stems from the lack of proper validation of user-supplied strings before using them to construct SQL queries. The vulnerability has been assigned a CVSS v3.0 base score of 7.1 (HIGH) with the vector: CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that it requires network-adjacent access and high attack complexity, but can result in high impacts to confidentiality, integrity, and availability (ZDI Advisory).

If successfully exploited, this vulnerability allows network-adjacent attackers to execute arbitrary code on affected PostHog installations. The attacker can leverage this vulnerability to execute code in the context of the database account, potentially leading to complete system compromise (ZDI Advisory).

PostHog has released an update to address this vulnerability. Users should apply the patch available in the commit 6e8f035f9acd339c5ba87ba6ea40fc1ab3053d42 (GitHub Commit).