GHSA-hrwm-9436-5mv3

Опубликовано: 03 июл. 2025

Источник: github

Github: Не прошло ревью

Описание

pgsql extension does not check for errors during escaping

Summary

Missing error checking could result in SQL injection and missing error handling could lead to crashes due to null pointer dereferences.

Details

This is related to https://www.postgresql.org/support/security/CVE-2025-1094/ that was reported to postgres. The reporter used php to showcase the problem.

While working on addressing the report, it was realised that PHP uses the escape functions in a way that does not allow for errors to be reported. Specifically the error parameters is not passed to PQescapeStringConn(), which therefore cannot report an error.

While postgres now tries to make sure that the escaped string will trigger errors on the server-side if the string is invalidly encoded, that still can be insufficient, depending on how the escaped values are used.

It was also noted that several calls to PQescapeIdentifier() do not check for the returned value being NULL, despite that being the documented way that PQescapeIdentifier() (and PQescapeLiteral()) to report errors. Seems like that could cause crashes or at least UB in some of the callsites.

Пакеты

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.1.33

8.1.33

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.2.29

8.2.29

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.3.23

8.3.23

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.4.10

8.4.10

EPSS

Процентиль: 22%

0.00071

Низкий

CVE ID

CVE-2025-1735

Связанные уязвимости

CVE-2025-1735

CVSS3: 5.9

ubuntu

21 день назад

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.