Few days ago, PostgreSQL announced the release of corrective updates for all supported branches of PostgreSQL (versions 17.3, 16.7, 15.11, 14.16 and 13.19). These updates, which fix more than 70 errors and above all eliminate the vulnerability identified as CVE-2025-1094, linked to an attack that affected BeyondTrust and the US Treasury Department in late December.
Vulnerability was detected during the analysis of another remote fault (CVE-2024-12356) in the BeyondTrust PRA (Privileged Remote Access) and BeyondTrust RS (Remote Support) services, and was exacerbated by the presence of a previously unknown vulnerability (0-day) in the libpq library.
On the vulnerability that affected BeyondTrust
It is mentioned that the failure in PostgreSQL originated in libpq, the library that Provides the API to interact with PostgreSQL from programs written in C, which is also the basis for bindings in C++, Perl, PHP, and Python.
La The vulnerability lies in the improper handling of Unicode character validation. in crucial escape functions. These functions are essential for neutralizing special characters in SQL queries and preventing code injections. However, the lack of proper validation allows certain invalid UTF-8 multibyte sequences to bypass quote normalization.
Attack method
This failure allows SQL replacement in applications that use these functions to process queries, especially when the queries are submitted through the psql command-line utility. For example, this vulnerability can be exploited to execute arbitrary commands on the server via command-line substitution “!”, as demonstrated with an example where the “id” utility was invoked.
The exploit relies on the use of an invalid UTF-8 character, consisting of bytes 0xC0 and 0x27. The byte 0x27 corresponds to a single quote in ASCII, which would normally be escaped to avoid SQL injection issues. But when combined with 0xC0, the sequence is interpreted as a single Unicode character, leaving the single quote unescaped.
Impact of the attack
As a result of this vulnerability, the Attackers managed to obtain an access key to the API which is used to provide remote support through BeyondTrust SaaS services. With this key, was able to reset passwords and compromise the infrastructure of the U.S. Department of the Treasury., gaining access to confidential documents and employee workstations. The attack exposed serious flaws in the security chain, highlighting the importance of having robust input validation mechanisms in critical libraries such as libpq.
Updates and corrective measures
Before this panorama, The PostgreSQL team has implemented updatess that fix this vulnerability and a number of additional bugs. The solution lies in improving character validation in the escape functions, ensuring that any UTF-8 sequence is processed correctly and preventing a single quote from being misinterpreted.
In addition to this, as already mentioned, this update fixes more than 70 bugs that were reported in the last few months:
- Fixed possible reuse of stale results in window aggregates, which could lead to incorrect results.
- Various race condition fixes for vacuum that could, in the worst case, cause corruption of a system catalog.
- Various fixes to truncate tables and indexes to prevent possible corruption.
- Workaround for detaching a partition where its own foreign key constraint references a partitioned table.
- Fixed FFn (e.g. FF1) to_timestamp format codes, where an integer format code before FFn would consume all available digits.
- Fixes for SQL/JSON and XMLTABLE() to put double quotes around specific entries when needed.
- Include the ldapschemeoption in pg_hba_file_rules().
- Various fixes for UNION, including not merging columns with unsupported collations.
- Several fixes that could affect the availability or speed of starting a connection to PostgreSQL.
- Fixes multiple memory leaks in logic decode output.
- Fixes several memory leaks in PL/Python.
- Fixed a pg_restore memory leak with zstd compressed data.
- Fixed pg_basebackup to properly handle pg_wal.tar files larger than 2GB on Windows.
- Fixed crash in pageinspect in instances where the brin_page_items() function definition is not updated to the latest version.
- Fixes race condition when trying to cancel a remote postgres_fdw query.
Finally, if you are interested in being able to know more about it, you can consult the details in the following link