Wiz
Vulnerability DatabaseCVE-2025-8715

CVE-2025-8715
PostgreSQL vulnerability analysis and mitigation

Overview

CVE-2025-8715 is a critical vulnerability in PostgreSQL's pgdump utility discovered in August 2025. The flaw stems from improper neutralization of newlines in pgdump, affecting PostgreSQL versions 13 through 17. This vulnerability allows a user of the origin server to inject arbitrary code for restore-time execution via psql meta-commands inside purpose-crafted object names. Notably, this vulnerability reintroduces attack vectors that were previously fixed by CVE-2012-0868 but were reintroduced in version 11.20 (PostgreSQL Security).

Technical details

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The flaw is classified under CWE-93 (Improper Neutralization of CRLF Sequences). The vulnerability affects multiple PostgreSQL components including pgdump, pgdumpall, pgrestore, and pgupgrade. Specifically, it impacts versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22, while versions before 11.20 are unaffected (NVD Database, PostgreSQL Security).

Impact

The vulnerability has dual impact vectors: it enables arbitrary code execution on the client system with the privileges of the user running the psql restore operation, and it can achieve SQL injection as a superuser of the restore target server. This is particularly dangerous in DevOps environments where automated backup restoration occurs regularly, as compromised dumps can execute with elevated system privileges (GBHackers).

Mitigation and workarounds

Organizations must upgrade to the fixed versions: PostgreSQL 17.6, 16.10, 15.14, 14.19, or 13.22. Cloud providers have initiated emergency fleet updates and some have disabled customer-initiated logical restore operations until tenant clusters are patched. Development teams are advised to audit their CI/CD pipelines for pg_dump usage and implement additional validation steps for backup files (PostgreSQL Security, GBHackers).

Community reactions

Cloud providers have responded rapidly to this threat by initiating emergency fleet updates and temporarily disabling customer-initiated logical restore operations until their tenant clusters are verified as patched. The PostgreSQL project has credited Noah Misch for responsibly disclosing this vulnerability (GBHackers).

Additional resources

SourceThis report was generated using AI

Related PostgreSQL vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-8715HIGH8.8
  • PostgreSQLPostgreSQL
  • postgresql:13::postgresql-static
NoYesAug 14, 2025
CVE-2025-8714HIGH8.8
  • PostgreSQLPostgreSQL
  • libpq5-32bit
NoYesAug 14, 2025
CVE-2025-1094HIGH8.1
  • PostgreSQLPostgreSQL
  • postgresql14-plpython3
NoYesFeb 13, 2025
CVE-2025-4207MEDIUM5.9
  • PostgreSQLPostgreSQL
  • postgresql13-docs
NoYesMay 08, 2025
CVE-2025-8713LOW3.1
  • PostgreSQLPostgreSQL
  • postgresql16-plpython
NoYesAug 14, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo