CVE-2025-1094
Published: 13 February 2025
Summary
CVE-2025-1094 is a high-severity Improper Neutralization of Quoting Syntax (CWE-149) vulnerability in Postgresql (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2025-1094 is an improper neutralization of quoting syntax vulnerability affecting PostgreSQL libpq escaping functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn(), as well as certain command-line utility programs. It impacts all versions prior to PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19. The flaw permits SQL injection when application code feeds the escaped output into psql or when client_encoding is set to BIG5 with server_encoding of EUC_TW or MULE_INTERNAL.
An unauthenticated remote attacker supplying crafted database input or command-line arguments can exploit the issue to achieve SQL injection. Successful exploitation can result in high-impact outcomes including confidentiality, integrity, and availability breaches, as reflected in the CVSS 8.1 score requiring high attack complexity but no privileges or user interaction.
Official advisories from PostgreSQL and downstream distributors such as Debian recommend immediate upgrade to the patched releases listed above. The associated EPSS score remains elevated near its recorded peak of 0.8336, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1999
Vulnerability details
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct…
more
input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct SQL injection in PostgreSQL escaping functions and psql utilities enables remote exploitation of a public-facing database application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of the improper neutralization flaw in PostgreSQL libpq functions and command line utilities to eliminate SQL injection risk.
Mandates validation of inputs to PostgreSQL functions and command line arguments to block SQL injection from malformed quoting syntax.
Enables automated scanning to identify deployments of vulnerable PostgreSQL versions affected by CVE-2025-1094.