CVE-2025-58450: Critical SQL Injection Flaw in pREST Puts PostgreSQL Databases at Risk

The pREST project has issued a security advisory for CVE-2025-58450, a systemic SQL injection flaw that threatens users of its PostgreSQL REST API framework. Rated CVSS 9.4 (Critical), the vulnerability affects versions prior to v2.0.0-rc3 and could allow attackers to read sensitive files, extract credentials, and manipulate database content.

pREST describes itself as a simple production-ready API, that delivers an instant, realtime, and high-performance application on top of your existing or new Postgres database.

However, during an independent review, security researchers found that “SQL injection is a systemic problem in the current implementation (version v2.0.0-rc2). Even though there are several instances of attempts to sanitize user input and mitigate injection attempts, we have found that on most code-paths, the protection is faulty or non-existent.”

Core REST endpoints for database operations — including GET, POST, PUT/PATCH, and DELETE — were all found to be vulnerable due to unsafe query construction that concatenates unvalidated input directly into SQL statements.

The advisory warns: “Executing arbitrary commands on the database can allow for unauthorized access and modification of the data stored. Additionally, feature-rich database engines such as Postgres allow access to files stored on the underlying file-system, and may even allow for arbitrary command execution.”

Researchers demonstrated how attackers could exploit the flaw to:

• Read sensitive system files, such as /etc/passwd.
• Steal secrets, API keys, and SSH private keys from environment variables.
• Extract password hashes from internal PostgreSQL tables (pg_shadow).
• Abuse overly permissive database roles. The advisory notes: “The pREST’s official Docker container uses the prest user… This user does have ‘superuser’ permissions, which increases the likelihood of users running pREST with overly permissioned database users which in turn exposes them to the attacks described above.”

The flaw has been rated CVSS 9.4 (Critical). Exploitation complexity is considered low, requiring only basic web application security knowledge. As the advisory stresses: “With access to a running instance, basic web application security knowledge is required to find and exploit this issue.”

Because pREST is open source, attackers can study the codebase to develop precise exploit payloads.

pREST has released v2.0.0-rc3, which addresses the vulnerability. The maintainers advise:

• Avoid unsafe string concatenation for query building.
• Apply strict input validation for database, schema, and table identifiers, restricting them to alphanumeric characters, dashes, and underscores.
• Disallow double quotes in user-controlled identifiers to prevent injection via escaped characters.
• Consider shifting to parametrized queries to ensure safe query execution.

Related Posts:

• CVE-2025-41243 (CVSS 10): Critical Spring Cloud Gateway Server WebFlux Flaw Exposes Property Modification Risk
• PostgreSQL Releases Security Update Addressing Multiple Vulnerabilities
• PostgreSQL Issues Urgent Security Fixes for High-Severity RCE Flaws in Core Utilities
• 184 Million Leaked Credentials Found in Open Database
• Security Flaw in PostgreSQL: CVE-2024-7348 Allows Arbitrary SQL Execution