Summary : Security advisory: The PostgreSQL Global Development Group has issued a security update addressing 3 security vulnerabilities and over 55 bugs, including two high-severity remote code execution (RCE) flaws in core utilities. The update applies to PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22, as well as the third beta release of PostgreSQL 18.

Severity	High
CVSS Score	8.8
CVEs	CVE-2025-8715, CVE-2025-8714, CVE-2025-8713
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

These issues affect all PostgreSQL versions 13 through 17. All the administrators & users are urged to update immediately to prevent potential exploitation. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
​ Object Name Newline Injection	CVE-2025-8715	PostgreSQL version 13-17	High	17.6, 16.10, 15.14, 14.19, 13.22
pg_dump Restore-Time Arbitrary Code Execution	CVE-2025-8714	PostgreSQL version 13-17	High	17.6, 16.10, 15.14, 14.19, 13.22
View Access Policy Bypass via Statistics Leak	CVE-2025-8713	PostgreSQL version 13-17	Low	17.6, 16.10, 15.14, 14.19, 13.22

Technical Summary 

The PostgreSQL security update addresses three critical vulnerabilities that primarily impact its core utilities, specifically pg_dump, pg_dumpall and pg_restore. The most severe flaws, CVE-2025-8714 and CVE-2025-8715, enable remote code execution during database restoration.

These arise from improper handling of untrusted data and newline characters in dump outputs, allowing a malicious superuser from the origin server to inject arbitrary code via crafted meta-commands or object names.

When such a dump file is restored, the injected code executes on the client system as the operating system user running psql, leading to potential full system compromise. In some cases, the attack can even lead to SQL injection on the target server. The third issue, CVE-2025-8713, is lower in severity but still notable, allowing unauthorized users to infer sensitive data from optimizer statistics due to insufficient enforcement of row-level security policies. This can lead to leakage of histogram data and most common value lists from views or partitioned tables. These vulnerabilities collectively threaten data confidentiality, system integrity and operational security, especially in environments where backups are frequently restored or shared. 

CVE ID	CVSS Score	System Affected	Vulnerability Details	Impact
CVE-2025-8715	8.8	PostgreSQL version 13-17	Due to improper neutralization of newline characters in object names. A user with access to the origin server can craft object names containing newlines that inject psql meta-commands into the dump output. Upon restoration, these commands are interpreted and executed, leading to arbitrary code execution or even SQL injection on the restore target server. This issue was previously addressed in CVE-2012-0868 but was inadvertently reintroduced in version 11.20.	Arbitrary code execution
CVE-2025-8714	8.8	PostgreSQL version 13-17	A malicious superuser on the origin server can inject arbitrary code into a plain-format database dump via meta-commands or object definitions. When this dump is restored, the malicious code is executed by the psql client under the privileges of the system account running the restore operation. This flaw occurs due to insufficient validation of input data included in dump files.	Arbitrary code execution
CVE-2025-8713	3.1	PostgreSQL version 13-17	This allows unauthorized users to infer sensitive data by exploiting PostgreSQL’s optimizer statistics. A user can craft a leaky operator or query that bypasses access control mechanisms within views or partitioned tables. This permits access to internal statistics, such as histograms or most-common-values lists, which can expose data that row security policies are meant to hide.	Unauthorized access

Recommendations: 

Here are some recommendations below 

• Upgrade to PostgreSQL versions 17.6, 16.10, 15.14, 14.19, 13.22, or the latest. 

• Ensure pg_dump/restore operations are performed only with trusted data sources. 

• Limit superuser privileges on database systems. 

• Sanitize and audit database objects used in dumps or restores. 

• Check for unusual meta-commands or object names in restore logs. 

Conclusion: 
Two of the vulnerabilities (CVE-2025-8714 and CVE-2025-8715) allow for arbitrary code execution. It’s the threats to system integrity and confidentiality. While not publicly exploited at the time of release, the potential severity of these flaws makes immediate patching critical.

PostgreSQL administrators should update all affected systems and review internal restore processes to avoid compromise. 

References: 

• https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/ 

• https://securityonline.info/postgresql-issues-urgent-security-fixes-for-high-severity-rce-flaws-in-core-utilities/