PostgreSQL pg_dump
Moderate fix5 remedies
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*
Moderate fix5 remedies
- < 17.6
- < 16.10
- < 15.14
- < 14.19
- < 13.22
PostgreSQL Untrusted Data Injection in pg_dump Allows Arbitrary Code Execution via psql Meta-Commands
Vulnerability
Patched
A vulnerability exists in PostgreSQL's pg_dump utility, affecting versions prior to 17.6, 16.10, 15.14, 14.19, and 13.22. This vulnerability allows a malicious superuser on the origin server to inject arbitrary code that is executed during the restoration process, using the client's operating system account that runs psql. The issue also affects pg_dumpall and pg_restore when generating a plain-format dump. This vulnerability is similar to MySQL's CVE-2024-21096.
Impact
Exploitation of this vulnerability could lead to unauthorized execution of arbitrary code on the client's operating system during the restoration of the database dump.
Remediation
Users can upgrade to PostgreSQL versions 17.6, 16.10, 15.14, 14.19, or 13.22 to address this vulnerability.
Added: Aug 14, 2025, 3:35 PM
Updated: Aug 14, 2025, 3:35 PM
Vulnerability Rating
Custom Algorithm
spread
8.1impact
2.5exploitability
4.0remediation
7.7relevance
0.3threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.