Open in app

Sign up

Sign in

Write

Sign up

Sign in

InfoSec Write-ups

Home

Newsletter

About

Follow publication

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Member-only story

CVE-2025–1094: PostgreSQL Injection Vulnerability Exploit

Overview

CVE-2025–1094 is a high-severity SQL injection vulnerability affecting multiple versions of PostgreSQL. This flaw is caused by improper neutralization of quoting syntax within PostgreSQL’s escaping functions, which can be leveraged by attackers to execute arbitrary SQL commands.

Affected PostgreSQL Versions

  • PostgreSQL 17 (before v17.3)
  • PostgreSQL 16 (before v16.7)
  • PostgreSQL 15 (before v15.11)
  • PostgreSQL 14 (before v14.16)
  • PostgreSQL 13 (before v13.19)

Exploited Functions

The vulnerability exists in the following PostgreSQL escaping functions:

  • PQescapeLiteral()
  • PQescapeIdentifier()
  • PQescapeString()
  • PQescapeStringConn()

These functions are used to sanitize user inputs for SQL queries. However, due to improper handling of certain character encodings, attackers can bypass security mechanisms and execute SQL injection attacks.

Exploit Prerequisites

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

55K Followers
Last published just now

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Ajay Naik
Ajay Naik
Follow

Written by Ajay Naik

230 Followers
267 Following

Cyber security Expert with a Strong Focus on Penetration Testing, Threat Intelligence, and Bug Bounty Hunting.

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams