CVE-2022-2625

Name: CVE-2022-2625
Creator: NVD / NIST
Published: 2022-08-18T19:15:14.5+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8/10EPSS 1.52%

Last modified Jun 17, 2026

CVE-2022-2625 is a high-severity vulnerability rated 8/10 on the CVSS scale. A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. EPSS estimates a 1.52% chance of exploitation in the next 30 days.

Description

A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.

Metrics

CVSS 3.1

8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

1.52%

71.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Postgresql	Postgresql	>= 10.0, < 10.22	—
Postgresql	Postgresql	>= 11.0, < 11.17	—
Postgresql	Postgresql	>= 12.0, < 12.12	—
Postgresql	Postgresql	>= 13.0, < 13.8	—
Postgresql	Postgresql	>= 14.0, < 14.5	—
Postgresql	Postgresql	15	Beta1
Fedoraproject	Fedora	36	—
Redhat	Enterprise Linux	6.0	—
Redhat	Enterprise Linux	7.0	—
Redhat	Enterprise Linux	8.0	—
Redhat	Enterprise Linux	9.0	—

References

https://bugzilla.redhat.com/show_bug.cgi?id=2113825Issue Tracking, Third Party Advisory
https://security.gentoo.org/glsa/202211-04Third Party Advisory
https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496/Release Notes, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2113825Issue Tracking, Third Party Advisory
https://security.gentoo.org/glsa/202211-04Third Party Advisory
https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496/Release Notes, Vendor Advisory

Timeline

Published: Aug 18, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-2625?

How severe is CVE-2022-2625?

CVE-2022-2625 has a CVSS score of 8/10 (HIGH severity). The EPSS model estimates a 1.52% probability of exploitation in the next 30 days.

How do I fix CVE-2022-2625?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-2625?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST