Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser
of the origin server to inject arbitrary code for restore-time execution as
the client operating system account running psql to restore the dump, via psql
meta-commands. pg_dumpall is also affected. pg_restore is affected when used
to generate a plain-format dump. This is similar to MySQL CVE-2024-21096.
Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
The PostgreSQL project thanks Martin Rakhmanov, Matthieu Denais, and RyotaK for reporting this problem.
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| 17 | 17.6 | Aug. 14, 2025 |
| 16 | 16.10 | Aug. 14, 2025 |
| 15 | 15.14 | Aug. 14, 2025 |
| 14 | 14.19 | Aug. 14, 2025 |
| 13 | 13.22 | Aug. 14, 2025 |
For more information about PostgreSQL versioning, please visit the versioning page.
| Overall Score | 8.8 |
|---|---|
| Component | client |
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.
For reporting non-security bugs, please see the Report a Bug page.