CVE-2025-8714: 
PostgreSQL vulnerability analysis and mitigation

Untrusted data inclusion vulnerability in pgdump in PostgreSQL (CVE-2025-8714) allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. The vulnerability affects pgdumpall and pg_restore (when used to generate a plain-format dump). This vulnerability is similar to MySQL CVE-2024-21096 and affects versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22. The issue was discovered and reported by Martin Rakhmanov, Matthieu Denais, and RyotaK (PostgreSQL Security).

The vulnerability exists in the pg_dump functionality of PostgreSQL, specifically affecting the handling of psql meta-commands. The issue has been assigned a CVSS 3.0 score of 8.8 (High), with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (PostgreSQL Security).

When successfully exploited, this vulnerability allows malicious superusers of the origin server to execute arbitrary code with the privileges of the client operating system account that is running psql during dump restoration. The impact extends to both pgdumpall and pgrestore functionalities when generating plain-format dumps (PostgreSQL Security).

The PostgreSQL project has released patched versions to address this vulnerability. Users should upgrade to PostgreSQL versions 17.6, 16.10, 15.14, 14.19, or 13.22 depending on their current version. These updates were released on August 14, 2025 (PostgreSQL Security).