Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PostgreSQL 13.x < 13.22 / 14.x < 14.19 / 15.x < 15.14 / 16.x < 16.10 / 17.x < 17.6 Multiple Vulnerabilities

🗓️ 21 Aug 2025 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 4 Views

PostgreSQL 13–17 older than fixes: dump/restore and statistics leaks; CVEs 2025-8715, 2025-8714.

Related
Refs
Code
ReporterTitlePublishedViews
Family
FreeBSD		PostgreSQL -- Selectivity estimators bypass row security policies
9 May 201900:00
freebsd
FreeBSD		databases/postgresql*-client -- multiple vulnerabilities
27 Feb 201200:00
freebsd
FreeBSD		PostgreSQL vulnerabilities
11 May 201700:00
freebsd
FreeBSD		PostgreSQL -- vulnerabilities
11 Aug 202500:00
freebsd
ALT Linux		Security fix for the ALT Linux 10 package postgresql12 version 11.3-alt1
8 May 201900:00
altlinux
ALT Linux		Security fix for the ALT Linux 8 package postgresql9.6 version 9.6.13-alt0.M80P.1
14 May 201900:00
altlinux
ALT Linux		Security fix for the ALT Linux 10 package postgresql15 version 11.3-alt1
8 May 201900:00
altlinux
ALT Linux		Security fix for the ALT Linux 10 package postgresql13 version 11.3-alt1
8 May 201900:00
altlinux
ALT Linux		Security fix for the ALT Linux 9 package postgresql12 version 11.3-alt1
8 May 201900:00
altlinux
ALT Linux		Security fix for the ALT Linux 8 package postgresql10 version 10.8-alt0.M80P.1
14 May 201900:00
altlinux
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# Portions Copyright (C) 1996-2019, The PostgreSQL Global Development Group
# Portions Copyright (C) 1994, The Regents of the University of California
# Permission to use, copy, modify, and distribute this software and its documentation for any purpose, without fee, and without a written agreement is hereby granted, provided that the above copyright notice and this paragraph and the following two paragraphs appear in all copies.
# IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
##

include('compat.inc');

if (description)
{
  script_id(253431);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/21");

  script_cve_id("CVE-2025-8713", "CVE-2025-8714", "CVE-2025-8715");
  script_xref(name:"IAVB", value:"2025-B-0140-S");

  script_name(english:"PostgreSQL 13.x < 13.22 / 14.x < 14.19 / 15.x < 15.14 / 16.x < 16.10 / 17.x < 17.6 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The version of PostgreSQL installed on the remote host is 13 prior to 13.22, 14 prior to 14.19, 15 prior to 15.14, 16
prior to 16.10, or 17 prior to 17.6. As such, it is potentially affected by multiple vulnerabilities :

  - Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject
    arbitrary code for restore-time execution as the client operating system account running psql to restore
    the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL
    injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also
    affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before
    11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
    (CVE-2025-8715)

  - Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to
    inject arbitrary code for restore-time execution as the client operating system account running psql to
    restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to
    generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6,
    16.10, 15.14, 14.19, and 13.22 are affected. (CVE-2025-8714)

  - PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot
    access. Separately, statistics allow a user to read sampled data that a row security policy intended to
    hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is
    consulted during the query planning process. Prior to this release, a user could craft a leaky operator
    that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table
    inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values
    lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap
    remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. (CVE-2025-8713)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7f3d1d49");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PostgreSQL 13.22 / 14.19 / 15.14 / 16.10 / 17.6 or later");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-8715");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/08/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/08/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/08/21");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:postgresql:postgresql");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("postgres_installed_windows.nbin", "postgres_installed_nix.nbin", "postgresql_version.nbin");
  script_require_ports("Services/postgresql", 5432, "installed_sw/PostgreSQL");

  exit(0);
}

include('vcf_extras_postgresql.inc');

var win_local = TRUE;
if (!get_kb_item('SMB/Registry/Enumerated'))
  win_local = FALSE;

var port = get_service(svc:'postgresql', default:5432);
var kb_base = 'database/' + port + '/postgresql/';
var kb_ver = NULL;
var kb_path = kb_base + 'version';
var ver = get_kb_item(kb_path);
if (!empty_or_null(ver)) kb_ver = kb_path;

var app_info = vcf::postgresql::get_app_info(app:'PostgreSQL', port:port, kb_ver:kb_ver, kb_base:kb_base, win_local:win_local);
vcf::check_granularity(app_info:app_info, sig_segments:2);

#  13.22 / 14.19 / 15.14 / 16.10 / 17.6
var constraints = [
  { 'min_version' : '13', 'fixed_version' : '13.22' },
  { 'min_version' : '14', 'fixed_version' : '14.19' },
  { 'min_version' : '15', 'fixed_version' : '15.14' },
  { 'min_version' : '16', 'fixed_version' : '16.10' },
  { 'min_version' : '17', 'fixed_version' : '17.6' }
];

vcf::postgresql::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE,
    flags:{'sqli':TRUE}
);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Jan 2026 00:00Current
7.5High risk
Vulners AI Score7.5
CVSS 26.8
CVSS 33.1 - 7.5
CVSS 3.14.3 - 8.8
EPSS0.04372
SSVC
dump restoration vulnerabilityuntrusted data inclusionstatistics leakageview access bypassrow security bypasspostgresql versions
4