CVE-2025-8714 - PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client

First Published: 2025/08/14

Last Updated: 2025/08/14

Important: This is an assessment of the impact of CVE-2025-8714 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.

Summary

Summary

Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096.

Vulnerability details

CVE-ID: CVE-2025-8714

CVE Publish Date: 2025-08-14

CVSS Base Score: 8.8

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products and versions

PostgreSQL

• All versions prior to 17.6
• All versions prior to 16.10
• All versions prior to 15.14
• All versions prior to 14.19
• All versions prior to 13.22

EDB Postgres Extended Server

• All versions prior to 17.6.0
• All versions prior to 16.10.0
• All versions prior to 15.14.0
• All versions prior to 14.19.0
• All versions prior to 13.22

EDB Postgres Advanced Server

• All versions prior to 17.6.0
• All versions prior to 16.10.0
• All versions prior to 15.14.0
• All versions prior to 14.19.0
• All versions prior to 13.22

Remediation/fixes

EDB-Pgpool

EDB Postgres Extended Server

EDB Postgres Advanced Server

References

• CVSS Calculator v3.1
• https://www.postgresql.org/support/security/CVE-2025-8714/

Related information

• EnterpriseDB
• EDB Blogs link

Acknowledgement

Source: PostgreSQL project