psql.Rapid7 noted the vulnerability discovered during their recent BeyondTrust security incident investigation, highlighting the interconnected nature of modern security vulnerabilities.
The vulnerability, which carries a CVSS 3.1 base score of 8.1 (High), affects all supported PostgreSQL versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19.
According to Rapid7's findings, the issue stems from an incorrect assumption about PostgreSQL's string escaping routines' safety when handling untrusted input.
Stephen Fewer, Principal Security Researcher at Rapid7, discovered that the vulnerability arises from improper neutralization of quoting syntax in several PostgreSQL libpq functions, including PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn().
The flaw becomes particularly dangerous when the escaped input is used within SQL statements executed by the psql tool.
"An attacker who can generate a SQL injection via CVE-2025-1094 can then achieve arbitrary code execution by leveraging the interactive tool's ability to run meta-commands," explains the Rapid7 advisory. This capability extends to executing operating system shell commands through psql's meta-command functionality.
The vulnerability gained additional significance when researchers discovered its role in exploiting CVE-2024-12356, a critical vulnerability in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) products.
The researcher has also released a Metasploit exploit module for BeyondTrust Privileged Remote Access & Remote Support.
"The exploit can either leverage CVE-2024-12356 and CVE-2025-1094 together or solely leverage CVE-2025-1094 for RCE",.- the researcher noted. Arbitrary code execution is achieved with the privileges of the current site user (i.e. not root)."
While BeyondTrust patched its products in December 2024, the underlying PostgreSQL vulnerability remained unaddressed until Rapid7's discovery.
PostgreSQL has responded swiftly to the disclosure, releasing patches for all affected versions on February 13, 2025. Users are strongly advised to upgrade to the latest patched versions: PostgreSQL 17.3, 16.7, 15.11, 14.16, or 13.19.