Wiz
Vulnerability DatabaseCVE-2025-8714

CVE-2025-8714
PostgreSQL vulnerability analysis and mitigation

Overview

A critical vulnerability (CVE-2025-8714) was discovered in PostgreSQL's pgdump utility, disclosed on August 14, 2025. The vulnerability allows a malicious superuser of the origin server to inject arbitrary code that executes during restore-time operations. This flaw affects multiple PostgreSQL components including pgdump, pgdumpall, and pgrestore (when generating plain-format dumps). The vulnerability impacts all PostgreSQL versions before 17.6, 16.10, 15.14, 14.19, and 13.22 (PostgreSQL Security).

Technical details

The vulnerability exploits untrusted data inclusion in pg_dump, enabling attackers to inject malicious psql meta-commands that execute with the privileges of the user running the restoration process. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The flaw is categorized under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) and shares similarities with MySQL's CVE-2024-21096 (NVD Database, PostgreSQL Security).

Impact

The vulnerability enables arbitrary code execution on the client system with the privileges of the user running the restoration process. This is particularly dangerous in DevOps environments where automated backup restoration occurs regularly, as compromised dumps can execute with elevated system privileges. The impact is severe enough that some cloud providers have disabled customer-initiated logical restore operations until tenant clusters are verified as patched (GBHackers).

Mitigation and workarounds

Organizations must upgrade to PostgreSQL versions 17.6, 16.10, 15.14, 14.19, or 13.22 immediately. Development teams should audit their CI/CD pipelines for pg_dump usage and implement additional validation steps for backup files. With PostgreSQL 13 reaching end-of-life on November 13, 2025, organizations should prioritize migration to supported versions (PostgreSQL Security, GBHackers).

Community reactions

Cloud providers have responded swiftly to the vulnerability by initiating emergency fleet updates and temporarily disabling customer-initiated logical restore operations until their tenant clusters are verified as patched. The PostgreSQL project has credited Martin Rakhmanov, Matthieu Denais, and RyotaK for responsibly disclosing this security issue (GBHackers).

Additional resources

SourceThis report was generated using AI

Related PostgreSQL vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-8715HIGH8.8
  • PostgreSQLPostgreSQL
  • postgresql14-devel
NoYesAug 14, 2025
CVE-2025-8714HIGH8.8
  • PostgreSQLPostgreSQL
  • postgresql15-private-libs-debuginfo
NoYesAug 14, 2025
CVE-2025-1094HIGH8.1
  • PostgreSQLPostgreSQL
  • postgresql:16::postgres-decoderbufs
NoYesFeb 13, 2025
CVE-2025-4207MEDIUM5.9
  • PostgreSQLPostgreSQL
  • postgresql13-llvmjit
NoYesMay 08, 2025
CVE-2025-8713LOW3.1
  • PostgreSQLPostgreSQL
  • postgresql16-plperl-debuginfo
NoYesAug 14, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo