The PostgreSQL Global Development Group has released urgent security updates on August 14, 2025, addressing three critical vulnerabilities that affect all supported versions of the world’s most advanced open-source relational database.
The update covers PostgreSQL versions 17.6, 16.10, 15.14, 14.19, and 13.22, along with fixes for over 55 additional bugs reported in recent months.
Two of the three vulnerabilities carry a severe CVSS score of 8.8, enabling attackers to execute arbitrary code during database restoration processes.
These vulnerabilities pose significant risks to production environments, cloud deployments, and managed database services that rely on PostgreSQL’s backup and restore utilities.
CVE-2025-8714 represents the most critical threat, affecting PostgreSQL’s pg_dump, pg_dumpall, and pg_restore utilities with a CVSS score of 8.8.
This vulnerability allows malicious superusers on the origin server to inject arbitrary code that executes during database restoration.
The vulnerability stems from untrusted data inclusion in dump files, where psql meta-commands can be embedded and later executed as the client operating system account running the restore process.
The attack vector requires a compromised superuser account on the source database, enabling injection of psql meta-commands through database objects.
When administrators restore these seemingly legitimate backups, the malicious code executes with full operating system privileges on the target system.
This vulnerability bears similarities to MySQL’s CVE-2024-21096, highlighting a broader class of backup utility security issues.
CVE-2025-8715 presents an equally dangerous threat with the same CVSS score of 8.8. This vulnerability exploits improper neutralization of newline characters in database object names within pg_dump output.
Attackers can craft database object names containing newline sequences followed by psql meta-commands, enabling arbitrary code execution on client systems and SQL injection as a superuser on the restore target server.
Notably, CVE-2025-8715 represents a regression of a previously fixed issue from CVE-2012-0868, which was inadvertently reintroduced in PostgreSQL version 11.20.
The vulnerability affects pg_dump, pg_dumpall, pg_restore, and pg_upgrade utilities, making it particularly concerning for database migration and upgrade workflows.
PostgreSQL Vulnerabilities
CVE-2025-8713 carries a lower but still significant CVSS score of 3.1, affecting PostgreSQL’s optimizer statistics functionality.
This vulnerability allows users to read sampled data within views they cannot access and bypass row security policies in partitioning or table inheritance hierarchies.
Attackers can craft malicious operators that expose sensitive data including histograms and most-common-values lists from database statistics.
While less severe than the code execution vulnerabilities, this vulnerability represents a continuation of similar issues addressed in CVE-2017-7484 and CVE-2019-10130, indicating persistent challenges in securing PostgreSQL’s statistics subsystem.
The vulnerability affects all supported PostgreSQL versions from 13 through 17.
Immediate Patching Required
Database administrators must prioritize immediate updates to the latest supported releases to prevent potential compromise of production environments.
According to Report, PostgreSQL development team emphasizes that these are cumulative updates requiring only service restart rather than full database migration.
However, systems with BRIN indexes using the numeric_minmax_multi_ops operator class require additional reindexing after the upgrade to address potential performance issues.
PostgreSQL 13 users face additional urgency as this version reaches end-of-life on November 13, 2025, making migration to newer supported versions critical for continued security updates.
Organizations should implement comprehensive backup validation procedures and restrict superuser access to minimize exposure to these attack vectors while planning their upgrade strategies.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
