Vulnerability DatabaseCVE-2025-8715
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-8715
August 14, 2025
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
Affected Packages
https://github.com/postgres/postgres.git (GITHUB):
Affected version(s) >=REL_15_0 <REL_15_14
Fix Suggestion:
Update to version REL_15_14
https://github.com/postgres/postgres.git (GITHUB):
Affected version(s) >=REL_16_0 <REL_16_10
Fix Suggestion:
Update to version REL_16_10
https://github.com/postgres/postgres.git (GITHUB):
Affected version(s) >=REL_17_0 <REL_17_6
Fix Suggestion:
Update to version REL_17_6
https://github.com/postgres/postgres.git (GITHUB):
Affected version(s) >=REL_11_20 <REL_13_22
Fix Suggestion:
Update to version REL_13_22
https://github.com/postgres/postgres.git (GITHUB):
Affected version(s) >=REL_14_0 <REL_14_19
Fix Suggestion:
Update to version REL_14_19
Related Resources (1)
https://www.postgresql.org/support/security/CVE-2025-8715/
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-93
EPSS
Base Score:
0.05