CVE-2025-8715: pg_dump Newline Code Injection (PG <17.6, <16.10, <15.14, <14.19, <13.22)
CVE-2025-8715 Published on August 14, 2025
PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
Weakness Type
What is a CRLF Injection Vulnerability?
The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CVE-2025-8715 has been classified to as a CRLF Injection vulnerability or weakness.
Products Associated with CVE-2025-8715
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-8715 are published in these products:
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.