PostgreSQL Issues Urgent Security Fixes for High-Severity RCE Flaws in Core Utilities
Ddos 
The PostgreSQL Global Development Group has announced a major security update affecting all supported versions of the worldβs most advanced open-source relational database. The update applies to PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22, as well as the third beta release of PostgreSQL 18. According to the advisory, this release fixes 3 security vulnerabilities and over 55 bugs reported over the last several months.
The first flaw, CVE-2025-8713, carries a CVSS score of 3.1 and impacts PostgreSQL versions 13 through 17. The advisory explains:
βPostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot accessβ¦ statistics allow a user to read sampled data that a row security policy intended to hide.β
This vulnerability could allow malicious users to bypass view access control lists and row security policies, exposing sensitive data such as histograms and most-common-values lists.
The second issue, CVE-2025-8714, is far more severe with a CVSS score of 8.8. The flaw resides in PostgreSQLβs pg_dump utility, which could allow a malicious superuser of the origin server to inject arbitrary code that executes during database restoration. The advisory warns:
βUntrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql.β
This vulnerability affects pg_dump, pg_dumpall, and pg_restore when used with plain-format dumps.
The third flaw, CVE-2025-8715, also scored 8.8 CVSS, affects PostgreSQL versions 13 through 17, and involves improper handling of newline characters. Specifically:
βImproper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary codeβ¦ via psql meta-commands inside a purpose-crafted object name.β
This vulnerability not only enables restore-time arbitrary code execution but can also facilitate SQL injection on the restore target server. The advisory notes that while a similar issue had been fixed back in CVE-2012-0868, it was reintroduced in version 11.20.
Given the critical nature of CVE-2025-8714 and CVE-2025-8715, PostgreSQL users are strongly urged to upgrade immediately. Administrators should patch to the latest supported release to prevent both data leaks and remote code execution scenarios that could compromise production environments.
Related Posts:
- Security Flaw in PostgreSQL: CVE-2024-7348 Allows Arbitrary SQL Execution
- PostgreSQL Releases Security Update Addressing Multiple Vulnerabilities
- Flaw in PostgreSQL JDBC Driver (CVE-2025-49146) Exposes Database Connections to MITM Attacks!
- Flaw in PostgreSQL JDBC Driver (CVE-2025-49146) Exposes Database Connections to MITM Attacks!
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
