CVE-2025-1094: PostgreSQL psql SQL injection

As mentioned yesterday in the Wochennotiz, there was a critical bug in all PostgreSQL versions. The bug itself has an overall score of 8.9, but the good thing about it is that it is not simple to exploit.

The flaw was discovered by Stephen Fewer of Rapid7 and they have a detailed blog posting about the exploit.

What is the bug about?

According to the PostgreSQL description:

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal.

It seems to me that the bug can only be exploited in conjunction with the use of psql. I guess this is a good thing. Depending on the network topology, access to a PostgreSQL cluster via psql should normally be fairly limited.

And what's even better, the bug is fixed in all PostgreSQL versions :-)

A small disclaimer: there will be an out-of-cycle release as the bugfix introduced a little regression: Out-of-cycle release scheduled for February 20, 2025.

What is libpq?

libpq is an API to PostgreSQL and is widely used by client libraries. The psycopg documentation for example states following:

Psycopg is built around the libpq, the PostgreSQL client library, which performs most of the network communications and returns query results in C structures.

To my knowledge many of the PostgreSQL connection libraries out there in all kinds of languages use libpq under the hood.

How secure is PostgreSQL?

I actually think PostgreSQL is pretty secure. Lika all software, it contains bugs. Bugs can be exploited by talented engineers. Especially if they have - more or less - unlimited resources, as state actors do.

But in my opinion the PostgreSQL project takes security quite seriously. According to article by Connor Jones of The Register the whole disclosure process was pretty good:

Condon praised the PostgreSQL team for their cooperation and communication during the disclosure process.

She said: "One teeny tiny last semi-personal note – this is one of the most straightforward disclosure timelines we've been able to put in a [coordinated vulnerability disclosure] blog in a while, which is extra nice (and unfortunately not the norm in recent years) and also makes me extra grateful to the PostgreSQL dev group."

I would say that the PostgreSQL project has a pretty good track record in dealing with security issues. In my opinion, the project is not whining about a bug and trying to fix the problem.

And that is why I think the PostgreSQL project is a trustworthy project. A project that you can rely on to handle your data properly.