CVE-2025-4207

PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation

A buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.

Version Information

Affected Version Fixed In Fix Published
17 17.5 May 8, 2025
16 16.9 May 8, 2025
15 15.13 May 8, 2025
14 14.18 May 8, 2025
13 13.21 May 8, 2025

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 5.9
Component core server
Vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.

For reporting non-security bugs, please see the Report a Bug page.