Improper Neutralization of Quoting Syntax Affecting postgresql package, versions [,13.19)[14.0,14.16)[15.0,15.11)[16.0,16.7)[17.0,17.3)
Threat Intelligence
This vulnerability is trending on Twitter; this may indicate a growing threat.
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UNMANAGED-POSTGRESQL-8722244
- published14 Feb 2025
- disclosed13 Feb 2025
- creditStephen Fewer
Introduced: 13 Feb 2025
CVE-2025-1094 (opens in a new tab)How to fix?
Upgrade postgresql to version 13.19, 14.16, 15.11, 16.7, 17.3 or higher.
Overview
Affected versions of this package are vulnerable to Improper Neutralization of Quoting Syntax in the psql tool via the libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn(). An attacker could achieve arbitrary code execution by leveraging the interactive tool’s ability to run meta-commands which run shell commands with the privileges of the service. Meta-commands extend the interactive tool's functionality by providing a wide variety of additional operations that the interactive tool can perform. The meta-command, identified by the exclamation mark symbol, allows an operating system shell command to be executed.
Note:
This is only exploitable if the application uses the function result to construct input to psql. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL.