CVE-2025-1094

Public on 2025-02-13
Modified on 2025-02-18
Description
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Severity
Important severity
Important
CVSS v3 Base Score
8.1
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
HAQM Linux 2 - Postgresql13 Extra libpq 2025-03-03 ALAS2POSTGRESQL13-2025-010 Fixed
HAQM Linux 2 - Postgresql14 Extra libpq 2025-03-03 ALAS2POSTGRESQL14-2025-017 Fixed
HAQM Linux 2023 libpq 2025-02-26 ALAS2023-2025-868 Fixed
HAQM Linux 2 - Core postgresql Pending Fix
HAQM Linux 2 - Postgresql13 Extra postgresql 2025-03-03 ALAS2POSTGRESQL13-2025-009 Fixed
HAQM Linux 2 - Postgresql14 Extra postgresql 2025-03-03 ALAS2POSTGRESQL14-2025-016 Fixed
HAQM Linux 2023 postgresql15 2025-02-26 ALAS2023-2025-869 Fixed
HAQM Linux 2023 postgresql16 2025-02-26 ALAS2023-2025-870 Fixed
HAQM Linux 1 postgresql8 No Fix Planned
HAQM Linux 1 postgresql92 No Fix Planned
HAQM Linux 1 postgresql93 No Fix Planned
HAQM Linux 1 postgresql94 No Fix Planned
HAQM Linux 1 postgresql95 No Fix Planned
HAQM Linux 1 postgresql96 No Fix Planned

CVSS Scores

Score Type Score Vector
HAQM Linux CVSSv3 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD CVSSv3 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2025-1094 Mitre: CVE-2025-1094