CVE-2025-1094

CVE-2025-1094 involves improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn(), enabling SQL injection in specific usage patterns. It affects PostgreSQL versions before 17.3, 16.7, 15.11, 14.16, and 13.19. Additionally, improper neutralization of quoting syntax in PostgreSQL command line utility programs creates a similar issue when client_encoding is BIG5 and server_encoding is EUC_TW or MULE_INTERNAL.

A database input provider can exploit this vulnerability to achieve SQL injection if an application uses the affected function results to construct input for psql, the PostgreSQL interactive terminal. Likewise, a source of command line arguments can trigger SQL injection under the specified encoding conditions. Remote attackers require no privileges (PR:N) and can target systems over the network (AV:N), though exploitation demands high complexity (AC:H). Successful attacks yield high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in the CVSS 3.1 score of 8.1 (S:U), mapped to CWE-149.

The official PostgreSQL security advisory at https://www.postgresql.org/support/security/CVE-2025-1094/ and related announcements on oss-security and Debian LTS lists detail mitigations, primarily recommending upgrades to patched versions 17.3, 16.7, 15.11, 14.16, or 13.19.