In a recent update, corrective patches were released for all supported branches of PostgreSQL, including versions 17.3, 16.7, 15.11, 14.16, and 13.19. These updates address more than 70 errors and vulnerabilities, including a security issue identified as CVE-2025-1094. The security patch was prompted by an attack on the company BeyondTrust and the US Department of Finance, which took place at the end of December.
The security flaw in PostgreSQL was uncovered during an analysis of a remote vulnerability (CVE-2024-12356) in BeyondTrust’s Pra (Privileged Remote Access) and RS (Remote Support) products. This 0-day vulnerability in Libpq was exploited by attackers as they gained access to BeyondTrust’s API, used for remote technical support services.
As a result of the breach, the attackers obtained access to the API key, allowing them to reset passwords and compromise the US Department of Finance’s infrastructure, which utilizes BeyondTrust products. The attackers were able to access confidential documents and compromise the workstations of Department employees.
The vulnerability in PostgreSQL’s Libpq library affects applications that use functions such as Pqescapeliteral(), pqescapeidentifier(), pqescapastring(), or pqescapestringconn(). This vulnerability enables attackers to inject their own SQL code when unshielded text is processed within SQL commands using the aforementioned functions. In BeyondTrust applications, these manipulated requests were transmitted via the psql command line.
The root of the vulnerability lies in the mishandling of Unicode characters in the text by Libpq functions, allowing malicious actors to bypass quote normalization by manipulating multi-byte UTF-8 sequences. PostgreSQL users are advised to update their systems promptly to safeguard against potential security threats.