CVE-2025-1094

HIGH EXPLOITED LAB

PostgreSQL < 17.3, 16.7, 15.11, 14.16, 13.19 - SQL Injection via libpq Quoting Functions

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-1094 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 8 public exploits from researchers including soltanali0, ishwardeepp, Nguyen-Van-Gia-Binh, including a Metasploit module exploits/linux/http/beyondtrust_pra_rs_command_injection.

AI-analyzed exploit summary This PoC exploits CVE-2025-1094, a PostgreSQL SQL injection vulnerability that escalates to RCE via WebSocket hijacking. It demonstrates file exfiltration and reverse shell execution.

Description

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

Exploits (8)

nomisec WORKING POC 40 stars
by soltanali0 · poc
https://github.com/soltanali0/CVE-2025-1094-Exploit

This PoC exploits CVE-2025-1094, a PostgreSQL SQL injection vulnerability that escalates to RCE via WebSocket hijacking. It demonstrates file exfiltration and reverse shell execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PostgreSQL (misconfigured functions)
No auth needed
Prerequisites: Vulnerable PostgreSQL endpoint · Open WebSocket connection · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by ishwardeepp · poc
https://github.com/ishwardeepp/CVE-2025-1094-PoC-Postgre-SQLi

This repository contains a working proof-of-concept for CVE-2025-1094, a SQL injection vulnerability in PostgreSQL versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19. The exploit leverages an encoding mismatch between client and server to execute arbitrary SQL commands, including reading sensitive files like /etc/passwd.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: PostgreSQL (versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19)
No auth needed
Prerequisites: PostgreSQL with server_encoding=EUC_TW and client_encoding=BIG5 · Access to a vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Nguyen-Van-Gia-Binh · poc
https://github.com/Nguyen-Van-Gia-Binh/Fcode-Security-Demo

This repository contains a functional PoC for CVE-2025-1094, demonstrating a PostgreSQL multi-byte SQL injection vulnerability in the `pg-native` Node.js library when using older versions of `libpq` with multi-byte character encodings like BIG5 or EUC_TW.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: pg-native (Node.js PostgreSQL client) with libpq < 15.11
No auth needed
Prerequisites: PostgreSQL with multi-byte encoding (e.g., BIG5, EUC_TW) · standard_conforming_strings set to off · pg-native library using vulnerable libpq version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by TranDongA3 · remote
https://github.com/TranDongA3/POC-CVE-2025-1094

This repository contains a functional exploit PoC for CVE-2025-1094, demonstrating a SQL injection vulnerability in PostgreSQL's libpq and psql that can lead to RCE. The exploit leverages a multibyte UTF-8 handling flaw to bypass escaping mechanisms and execute arbitrary shell commands via psql meta-commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PostgreSQL libpq and psql (versions < 17.3, < 16.7, < 15.11, < 14.16, < 13.19)
No auth needed
Prerequisites: PostgreSQL server with vulnerable libpq/psql · Network access to the target server
devstral-2 · analyzed May 11, 2026 Full analysis →
github WORKING POC
by PinkArmor · pythonremote-auth
https://github.com/PinkArmor/CVE-2025-1094-Lab-Setup

This repository contains a functional exploit for CVE-2025-1094, targeting PostgreSQL's psql tool via malformed UTF-8 input to achieve SQL injection and remote code execution using the COPY TO PROGRAM feature.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PostgreSQL psql (versions 14.15 and earlier)
Auth required
Prerequisites: PostgreSQL server with psql version 14.15 or earlier · Valid credentials for PostgreSQL · Network connectivity between attacker and victim
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by aninfosec · remote
https://github.com/aninfosec/CVE-2025-1094

This PoC exploits CVE-2025-1094, a PostgreSQL input sanitization vulnerability in BIG5 encoding, to achieve SQL injection and potentially RCE via COPY TO PROGRAM. It demonstrates how improperly sanitized input can bypass query boundaries and execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: PostgreSQL (versions prior to patched releases in June 2025)
Auth required
Prerequisites: Valid PostgreSQL credentials · Client encoding set to BIG5 · Unsanitized input passed to SQL queries · Access to functions like pg_read_file or COPY TO PROGRAM
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Harsh Jaiswal, Jonah Burgess (CryptoCat) · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/beyondtrust_pra_rs_command_injection.rb

This Metasploit module exploits an unauthenticated remote code execution vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) by leveraging command injection via WebSocket communication. It targets versions 25.3.1 and prior for RS and 24.3.4 and prior for PRA.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions 25.3.1 and prior (RS) and 24.3.4 and prior (PRA)
No auth needed
Prerequisites: Network access to the target WebSocket endpoint · Target must be running a vulnerable version of BeyondTrust PRA or RS
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by sfewer-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb

This Metasploit module exploits an unauthenticated RCE vulnerability in BeyondTrust PRA/RS (versions ≤ 24.3.1) by leveraging argument injection (CVE-2024-12356) and SQL injection (CVE-2025-1094) via WebSocket communication. It includes checks for target version and site discovery.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) ≤ 24.3.1
No auth needed
Prerequisites: Network access to target WebSocket endpoint · Target running vulnerable BeyondTrust version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 8.1
EPSS 0.8236
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull postgres:16
docker pull postgres:16.6
+5 more repos

Details

VulnCheck KEV 2025-02-13
CWE
CWE-149
Status published
Products (5)
n/a/PostgreSQL < 13.19
n/a/PostgreSQL 14 - 14.16
n/a/PostgreSQL 15 - 15.11
n/a/PostgreSQL 16 - 16.7
n/a/PostgreSQL 17 - 17.3
Published Feb 13, 2025
Tracked Since Feb 18, 2026