Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of
the origin server to inject arbitrary code for restore-time execution as the
client operating system account running psql to restore the dump, via psql
meta-commands inside a purpose-crafted object name. The same attacks can
achieve SQL injection as a superuser of the restore target server. pg_dumpall,
pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6,
16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are
unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20
reintroduced it.
The PostgreSQL project thanks Noah Misch for reporting this problem.
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| 17 | 17.6 | Aug. 13, 2025 |
| 16 | 16.10 | Aug. 13, 2025 |
| 15 | 15.14 | Aug. 13, 2025 |
| 14 | 14.19 | Aug. 13, 2025 |
| 13 | 13.22 | Aug. 13, 2025 |
For more information about PostgreSQL versioning, please visit the versioning page.
| Overall Score | 8.8 |
|---|---|
| Component | client |
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.
For reporting non-security bugs, please see the Report a Bug page.