Introduction
Database administrators restoring backups from trusted sources may unknowingly execute attacker-supplied code with full operating system privileges. CVE-2025-8714 exposes a critical flaw in PostgreSQL's backup and restore utilities, affecting a wide range of supported versions and potentially impacting production, cloud, and managed database environments.
PostgreSQL is one of the most widely used open-source relational database management systems, powering applications for enterprises, cloud providers, and critical infrastructure. Its backup and restore utilities (pg_dump, pg_dumpall, pg_restore) are essential for disaster recovery and migration workflows. A vulnerability in these components can have far-reaching operational and security consequences.
Technical Information
CVE-2025-8714 is rooted in the way pg_dump and related utilities handle data inclusion from the origin database. A PostgreSQL superuser on the source system can create or modify database objects (such as tables, comments, or functions) to include psql meta-commands. These meta-commands, which may be prefixed with backslash or exclamation mark, are interpreted by psql during restoration. For example, the exclamation mark meta-command allows shell command execution. If such commands are embedded in the dump file, they will execute as the operating system user running the restore process.
The vulnerability affects the following utilities:
- pg_dump
- pg_dumpall
- pg_restore (when used to generate plain-format dumps)
The root cause is insufficient sanitization or validation of database content before inclusion in the dump file. This is a classic case of CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The issue is similar to MySQL's CVE-2024-21096, where mysqldump allowed injection of shell commands via crafted database content.
No public code snippets or proof of concept are available at this time. The attack requires superuser privileges on the origin PostgreSQL instance.
Affected Systems and Versions
The following PostgreSQL versions are affected:
- All versions before 17.6
- All versions before 16.10
- All versions before 15.14
- All versions before 14.19
- All versions before 13.22
Any system using pg_dump, pg_dumpall, or pg_restore (plain-format) from these versions is vulnerable. The attack requires that the origin server is controlled by a malicious superuser.
Vendor Security History
PostgreSQL has experienced several notable vulnerabilities in its backup and restoration utilities:
- CVE-2025-1094: SQL injection in psql via improper UTF-8 handling, allowing meta-command injection.
- CVE-2024-7348: TOCTOU race condition in pg_dump, enabling arbitrary SQL function execution during backup.
The PostgreSQL Global Development Group typically provides timely patches and detailed advisories. However, the recurrence of backup-related vulnerabilities highlights the need for ongoing architectural review and security testing.
