{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-8715", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "state": "PUBLISHED", "assignerShortName": "PostgreSQL", "dateReserved": "2025-08-07T16:39:47.692Z", "datePublished": "2025-08-14T13:00:07.753Z", "dateUpdated": "2025-08-15T03:55:56.953Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2025-08-14T13:00:07.753Z"}, "title": "PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server", "descriptions": [{"lang": "en", "value": "Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it."}], "affected": [{"defaultStatus": "unaffected", "product": "PostgreSQL", "vendor": "n/a", "versions": [{"lessThan": "17.6", "status": "affected", "version": "17", "versionType": "rpm"}, {"lessThan": "16.10", "status": "affected", "version": "16", "versionType": "rpm"}, {"lessThan": "15.14", "status": "affected", "version": "15", "versionType": "rpm"}, {"lessThan": "14.19", "status": "affected", "version": "14", "versionType": "rpm"}, {"lessThan": "13.22", "status": "affected", "version": "11.20", "versionType": "rpm"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-93", "type": "CWE", "description": "Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2025-8715/"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "configurations": [{"lang": "en", "value": "attacker can direct pg_dump to a chosen origin server or has permission to create non-temporary objects in at least one schema that pg_dump will export"}], "workarounds": [{"lang": "en", "value": "To block attacks against the psql client, use \"pg_restore --dbname\" instead of restore methods that involve \"psql\". To block SQL injection against the restore target server, revoke the CREATE permission from non-superusers at the origin server."}], "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Noah Misch for reporting this problem."}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-14T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-8715"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T03:55:56.953Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8715", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-14T19:55:32.483550Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-14T19:55:36.722Z"}}], "cna": {"title": "PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server", "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Noah Misch for reporting this problem."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "n/a", "product": "PostgreSQL", "versions": [{"status": "affected", "version": "17", "lessThan": "17.6", "versionType": "rpm"}, {"status": "affected", "version": "16", "lessThan": "16.10", "versionType": "rpm"}, {"status": "affected", "version": "15", "lessThan": "15.14", "versionType": "rpm"}, {"status": "affected", "version": "14", "lessThan": "14.19", "versionType": "rpm"}, {"status": "affected", "version": "11.20", "lessThan": "13.22", "versionType": "rpm"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2025-8715/"}], "workarounds": [{"lang": "en", "value": "To block attacks against the psql client, use \"pg_restore --dbname\" instead of restore methods that involve \"psql\". To block SQL injection against the restore target server, revoke the CREATE permission from non-superusers at the origin server."}], "descriptions": [{"lang": "en", "value": "Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "configurations": [{"lang": "en", "value": "attacker can direct pg_dump to a chosen origin server or has permission to create non-temporary objects in at least one schema that pg_dump will export"}], "providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2025-08-14T13:00:07.753Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8715", "state": "PUBLISHED", "dateUpdated": "2025-08-15T03:55:56.953Z", "dateReserved": "2025-08-07T16:39:47.692Z", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "datePublished": "2025-08-14T13:00:07.753Z", "assignerShortName": "PostgreSQL"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it."}], "id": "CVE-2025-8715", "lastModified": "2025-08-15T13:13:07.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary"}]}, "published": "2025-08-14T13:15:37.880", "references": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "url": "https://www.postgresql.org/support/security/CVE-2025-8715/"}], "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary"}]}

{"bugzilla": {"description": "postgresql: PostgreSQL executes arbitrary code in restore operation", "id": "2388551", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388551"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-93", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-8715", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "postgresql16", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "postgresql:12/postgresql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "postgresql:13/postgresql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "postgresql:15/postgresql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "postgresql:16/postgresql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "postgresql:15/postgresql", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "postgresql:16/postgresql", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-14T13:00:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-8715\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-8715\nhttps://www.postgresql.org/support/security/CVE-2025-8715/"], "threat_severity": "Important"}