CVE-2025-8714

Summary

Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.

Affected Software

VendorProductVersion RangeStatus
n/aPostgreSQL17 < 17.6affected
n/aPostgreSQL16 < 16.10affected
n/aPostgreSQL15 < 15.14affected
n/aPostgreSQL14 < 14.19affected
n/aPostgreSQL0 < 13.22affected

Weaknesses

  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Workarounds

use "pg_restore –dbname" instead of restore methods that involve "psql"

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References