Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"Because of how PostgreSQL string escaping routines handle invalid UTF-8 characters, in combination with how invalid byte sequences within the invalid UTF-8 characters are processed by psql, an attacker can leverage CVE-2025-1094 to generate a SQL injection."

UTF-8 and its consequences have been a disaster for information security



But also this:

"Running meta-commands can extend psql's functionality, and it's through these that an attacker can feasibly achieve ACE by using the exclamation mark meta-command to execute a shell command on the operating system. Attackers can also use the vulnerability to execute SQL statements of their choosing."

I don't know PostgreSQL very well, but being able to execute shell commands by default seems like an obvious footgun.


I use shell commands alright. I don't let internet randos use shell commands on my system tho.

I've been keeping a casual eye on sql injection stuff, and unicode escaping seems to be a source of problems.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: