EDB CVE Assessments

Suggest edits

The CVEs listed in this section are from PostgreSQL and other parties who have reported them and that may have an impact on EDB products.

Released 2025

CVE-2025-8715

Read Assessment Updated: 2025/08/14

PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server

All versions of Postgresql prior to 17.6, 16.10, 15.14, 14.19, 13.22 3.x, EDB Postgres Extended Server prior to 17.6.0, 16.10.0, 15.14.0, 14.19.0, 13.22 , EDB Postgres Advanced Server prior to 17.6.0, 16.10.0, 15.14.0, 14.19.0, 13.22

Summary: Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected.
Read More...

CVE-2025-8714

Read Assessment Updated: 2025/08/14

PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client

All versions of Postgresql prior to 17.6, 16.10, 15.14, 14.19, 13.22 3.x, EDB Postgres Extended Server prior to 17.6.0, 16.10.0, 15.14.0, 14.19.0, 13.22 , EDB Postgres Advanced Server prior to 17.6.0, 16.10.0, 15.14.0, 14.19.0, 13.22

Summary: Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096
Read More...

CVE-2025-46801

Read Assessment Updated: 2025/07/04

Pgpool-II Authentication Bypass

All versions of EDB Pool prior to 4.5.1-4, PGPool-II versions prior to 4.6.1, 4.5.7, 4.4.12, 4.3.15, and 4.2.22

Summary: Pgpool-II contains an authentication bypass vulnerability that can be exploited under certain conditions. If an attacker exploits the vulnerability they may be able to log in to the system as an arbitrary user, which could allow them to read or tamper with data in the database, and/or disable the database.
Read More...

CVE-2025-2291

Read Assessment Updated: 2025/04/30

PgBouncer "VALID UNTIL yesterday"

All versions of PGBouncer prior to 1.24.1, TPA prior to 23.38.0, PGAI Cloud Service prior to May 12, 2025

Summary: In PgBouncer, the auth_query mechanism does not consider the VALID UNTIL attribute set in PostgreSQL for user passwords. This oversight allows users to authenticate using expired passwords, potentially granting unauthorized access. The flaw was fixed in [PgBouncer 1.24.1](https://www.pgbouncer.org/changelog.html#pgbouncer-124x).
Read More...

CVE-2025-1094

Read Assessment Updated: 2025/02/15

PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation

All versions of PostgreSQL, EPAS and PGE prior to 17.3, 16.7, 15.11, 14.16, and 13.19

Summary: Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Read More...

Released 2024

CVE-2024-7348

Read Assessment Updated: 2024/08/15

PostgreSQL relation replacement during pg_dump executes arbitrary SQL

All versions of PostgreSQL, EPAS and PGE prior to 16.4, 15.8, and 14.13

Summary: Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
Read More...

CVE-2024-4317

Read Assessment Updated: 2024/05/09

Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner

All versions of PostgreSQL, EPAS and PGE prior to 16.3, 15.7, and 14.12

Summary: Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
Read More...

CVE-2024-1597

Read Assessment Updated: 2024/03/08

SQL Injection via line comment generation

pgJDBC all versions prior to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 and EDB pgJDBC all versions prior to 42.5.5

Summary: pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
Read More...

CVE-2024-0985

Read Assessment Updated: 2025/01/31

PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL

PostgreSQL, EPAS all versions prior to 15.6.0,14.11.0,13.14.20 and 12.18.23, PGE all versions prior to 15.6.0

Summary: Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Read More...

CVE-2020-10531

Read Assessment Updated: 2024/11/14

Integer overflow in ICU doAppend()

All versions of EDB Postgres Advanced Server from 13 through 16

Summary: The original vulnerability was an integer overflow leading to a heap-based buffer overflow in UnicodeString::doAppend() in ICU (International Components for Unicode) for C/C++ which existed up to (and including) version 66.1.
Read More...

Could this page be better? Report a problem or suggest an addition!