Privilege Escalation in AWS Aurora PG Wrappers v2.6.5 (RDS Superuser)
CVE-2025-12967 Published on November 10, 2025
An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. We recommend customers upgrade to the following versions: AWS JDBC Wrapper to v2.6.5, AWS Go Wrapper to 2025-10-17, AWS NodeJS Wrapper to v2.0.1, AWS Python Wrapper to v1.4.0 and AWS PGSQL ODBC driver to v1.0.1
Vulnerability Analysis
CVE-2025-12967 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Reflection Injection Vulnerability?
The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. If the application uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the application to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the application's classpath (CWE-427) or add new entries to the application's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the application.
CVE-2025-12967 has been classified to as a Reflection Injection vulnerability or weakness.
Products Associated with CVE-2025-12967
Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.
Affected Versions
AWS JDBC Wrapper:- Version 2.6.5 is unaffected.
- Version 2025-10-17 is unaffected.
- Version 2.0.1 is unaffected.
- Version 1.4.0 is unaffected.
- Version 1.0.1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-12967
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| pip | aws_advanced_python_wrapper | < 1.4.0 | 1.4.0 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.