CRLF Injection Affecting postgresql:15/postgresql-server-devel package, versions <0:15.14-1.module+el9.6.0+23419+7863ab62


Severity

Recommended
0.0
high
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.39% (31st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL9-POSTGRESQL-11888329
  • published15 Aug 2025
  • disclosed14 Aug 2025

Introduced: 14 Aug 2025

CVE-2025-8715  (opens in a new tab)
CWE-93  (opens in a new tab)

How to fix?

Upgrade RHEL:9 postgresql:15/postgresql-server-devel to version 0:15.14-1.module+el9.6.0+23419+7863ab62 or higher.
This issue was patched in RHSA-2025:14862.

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql:15/postgresql-server-devel package and not the postgresql:15/postgresql-server-devel package as distributed by RHEL. See How to fix? for RHEL:9 relevant fixed versions and status.

Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.

CVSS Base Scores

version 3.1