CVE-2025-1094
postgresql-13 - regression update
Description
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
How to fix CVE-2025-1094
To remediate CVE-2025-1094, upgrade the affected package to a fixed version below.
- —upgrade to 14.17-r0 or later
- —upgrade to 15.11-r0 or later
- —upgrade to 16.8-r0 or later
- —upgrade to 17.4-r0 or later
- —upgrade to 13.19.0 or later
- —upgrade to 13.20-0+deb11u1 or later
- —upgrade to 13.19-0+deb11u1 or later
- —upgrade to 13.20-0+deb11u1 or later
- —upgrade to 15.11-0+deb12u1 or later
- —upgrade to 17.3-1 or later
Is CVE-2025-1094 being exploited?
Likely — EPSS is 82.4%, placing CVE-2025-1094 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (10)
- from 0, < 14.17-r0
- from 0, < 15.11-r0
- from 0, < 16.8-r0
- from 0, < 17.4-r0
- from 0, < 13.19.0, >= 14.0.0, < 14.16.0, >= 15.0.0, < 15.11.0, >= 16.0.0, < 16.7.0, >= 17.0.0, < 17.3.0
- from 0, < 13.20-0+deb11u1
- from 0, < 13.19-0+deb11u1
- from 0, < 13.20-0+deb11u1
- from 0, < 15.11-0+deb12u1
- from 0, < 17.3-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |