PostgreSQL SQL Injection Vulnerability CVE-2025-1094 Identified
/ 1 min read
🧩 High-severity SQL injection vulnerability discovered in PostgreSQL. Rapid7 identified CVE-2025-1094, a critical SQL injection vulnerability affecting PostgreSQL’s interactive tool, during research on another vulnerability, CVE-2024-12356. Successful exploitation of CVE-2024-12356 requires leveraging CVE-2025-1094, which remains a zero-day despite a patch for the former. The vulnerability, with a CVSS score of 8.1, arises from flawed assumptions about PostgreSQL’s string escaping routines, allowing attackers to execute arbitrary SQL statements and system commands. Users are advised to upgrade to supported PostgreSQL versions to mitigate risks. Rapid7 has provided tools for assessing exposure to this vulnerability in their products. Further technical analysis and remediation details are available in the PostgreSQL advisory.
