CVE-2025-58450: 
vulnerability analysis and mitigation

A critical SQL injection vulnerability (CVE-2025-58450) affects pREST (PostgreSQL REST), an API that delivers applications on top of Postgres databases. The vulnerability exists in versions prior to 2.0.0-rc3, where the validation present does not provide adequate protection from SQL injection attempts. The flaw was discovered in September 2025 and received a CVSS v4.0 score of 9.3 (Critical) (NVD, Security Online).

The SQL injection vulnerability is systemic in the implementation, affecting core REST endpoints for database operations including GET, POST, PUT/PATCH, and DELETE. The issue stems from unsafe query construction that concatenates unvalidated input directly into SQL statements. The vulnerability exists in multiple code paths where input validation is either faulty or non-existent. The flaw received a CVSS v4.0 Base Score of 9.3 with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary commands on the database, enabling unauthorized access and modification of stored data. Attackers can read sensitive system files such as /etc/passwd, steal secrets and API keys from environment variables, extract password hashes from internal PostgreSQL tables, and potentially achieve arbitrary command execution. The official pREST Docker container runs with superuser permissions, which increases the exposure to these attacks (Security Online).

The vulnerability has been patched in version 2.0.0-rc3. The recommended mitigations include: avoiding unsafe string concatenation for query building, applying strict input validation for database identifiers (restricting to alphanumeric characters, dashes, and underscores), disallowing double quotes in user-controlled identifiers, and considering a shift to parametrized queries (Security Online).