The PostgreSQL Global Development Group has released urgent security updates to address three critical vulnerabilities affecting versions 13 through 17. These flaws could allow attackers to execute arbitrary code during database restoration processes, posing significant risks to organizations relying on PostgreSQL for data management.
Key Takeaways:
1. Attackers can inject and execute arbitrary code during restoration via pg_dump flaws.
2. An optimizer statistics bug lets unauthorized users access restricted data.
3. Upgrading to the latest versions immediately is crucial to mitigate these risks.
These vulnerabilities exploit the pg_dump utility, a fundamental tool for database backups, transforming routine maintenance operations into potential attack vectors.
Malicious Superuser Code Injection Flaw
The most severe vulnerability, identified as CVE-2025-8714 with a CVSS score of 8.8, allows malicious superusers on origin servers to inject arbitrary code that executes during restoration. This flaw exploits untrusted data inclusion in pg_dump, enabling attackers to embed malicious psql meta-commands within backup files.
When administrators restore these compromised backups using psql, the embedded commands execute with the privileges of the client operating system account performing the restoration. This attack methodology is similar to MySQL’s CVE-2024-21096, indicating a broader pattern of dump utility exploitation across database platforms.
The vulnerability extends beyond the primary pg_dump utility, affecting pg_dumpall for cluster-wide backups and pg_restore when generating plain-format dumps. Security researchers Martin Rakhmanov, Matthieu Denais, and RyotaK discovered and reported this critical flaw to the PostgreSQL project.
Improper Neutralization of Newlines in Object Names
Another critical vulnerability, CVE-2025-8715, also scoring 8.8 on the CVSS scale, exploits improper neutralization of newlines in object names within pg_dump output. Attackers can craft database objects with specially formatted names containing embedded newline characters and psql meta-commands.
During restoration, these malicious object names trigger code execution on both the client system running psql and potentially achieve SQL injection as a superuser on the target database server. This vulnerability represents a regression of security controls, as CVE-2012-0868 had previously addressed similar attack patterns before version 11.20 reintroduced the weakness.
This flaw affects multiple PostgreSQL utilities, including pg_dumpall, pg_restore, and pg_upgrade, expanding the potential attack surface across various database maintenance operations. Noah Misch, a PostgreSQL contributor, identified and reported this vulnerability.
Information Disclosure via Optimizer Statistics
CVE-2025-8713 addresses a more subtle but significant information disclosure vulnerability affecting PostgreSQL’s optimizer statistics functionality. With a CVSS score of 3.1, this vulnerability allows users to access sampled data within views, partitions, or child tables that should be restricted by access control lists (ACLs) or row security policies.
Summary of Vulnerabilities:
| CVE | Title | CVSS v3.1 Score | Severity |
|—————|————————————————————–|—————–|———-|
| CVE-2025-8714 | pg_dump lets superuser execute arbitrary code in psql client | 8.8 | High |
| CVE-2025-8715 | pg_dump newline in object name executes arbitrary code | 8.8 | High |
| CVE-2025-8713 | Optimizer statistics expose sampled data in restricted views | 3.1 | Low |
Immediate Remediation Steps
To mitigate these vulnerabilities, organizations should upgrade to the fixed PostgreSQL versions: 17.6, 16.10, 15.14, 14.19, or 13.22, released on August 14, 2025.
Additionally, implementing strict access controls for database administration tools, validating dumps from untrusted sources, and applying the principle of least privilege during restoration operations are essential measures to enhance security.
