Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-8714
PUBLISHED
More InfoOfficial Page
Assigner-PostgreSQL
Assigner Org ID-f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
View Known Exploited Vulnerability (KEV) details
Published At-14 Aug, 2025 | 13:00
Updated At-26 Feb, 2026 | 17:48
Rejected At-
▼CVE Numbering Authority (CNA)
PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client

Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.

Affected Products
Vendor
n/a
Product
PostgreSQL
Default Status
unaffected
Versions
Affected
  • From 17 before 17.6 (rpm)
  • From 16 before 16.10 (rpm)
  • From 15 before 15.14 (rpm)
  • From 14 before 14.19 (rpm)
  • From 0 before 13.22 (rpm)
Problem Types
TypeCWE IDDescription
CWECWE-829Inclusion of Functionality from Untrusted Control Sphere
Type: CWE
CWE ID: CWE-829
Description: Inclusion of Functionality from Untrusted Control Sphere
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations

attacker can direct pg_dump et al. to a malicious origin server

Workarounds

use "pg_restore --dbname" instead of restore methods that involve "psql"

Exploits
Credits
The PostgreSQL project thanks Martin Rakhmanov, Matthieu Denais, and RyotaK for reporting this problem.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.postgresql.org/support/security/CVE-2025-8714/
N/A
Hyperlink: https://www.postgresql.org/support/security/CVE-2025-8714/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found