#VU103970 Input validation error in PostgreSQL - CVE-2025-1094
Published: February 14, 2025 / Updated: June 20, 2025
Vulnerability identifier: #VU103970
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2025-1094
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
PostgreSQL
PostgreSQL
Software vendor:
PostgreSQL Global Development Group
PostgreSQL Global Development Group
Description
The vulnerability allows a remote attacker to execute arbitrary SQL queries in the database.
The vulnerability exists due to insufficient validation of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() and within the command line utility programs when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. A remote attacker can pass specially crafted input to the application and execute arbitrary SQL queries in the database.
Note, the vulnerability is being actively exploited in the wild.
Remediation
Install update from vendor's website.