VDB
DEBIAN-CVE-2025-8714
DEBIAN-CVE-2025-8714
PUBLISHED
CVSS 8.800000190734863 HIGH
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
Risk Scores
CVSS 3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | postgresql-15 | 0, 15.12-0+deb12u2, 15.13-0+deb12u1 |
| Debian:11 | postgresql-13 | 0, 13.11-0+deb11u1, 13.13-0+deb11u1 |
| Debian:13 | postgresql-17 | 0, 17.5-1, 0 |
Exploit Intelligence
- PoC de RCE en PostgreSQL — CVE-2025-8714 (github-poc)
- dbutil.go (github-poc)
- context.go (github-poc)
- schema_cleaner_spec.rb (github-poc)
- ghost_report_20260112_192608.json (github-poc)
- ghost_report_20260112_175243.json (github-poc)
- ghost_report_20260112_182220.json (github-poc)
Timeline
- Aug 14, 2025 CVE Published
- Apr 28, 2026 CVE Updated