CVE-2026-25041

Description

**Location**: `packages/server/src/integrations/postgres.ts:529-531` #### Description The PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command. #### Code Reference ```529:531:packages/server/src/integrations/postgres.ts const dumpCommand = `PGPASSWORD="${ this.config.password }" pg_dump --schema-only "${dumpCommandParts.join(" ")}"` ``` #### Attack Vector An attacker who can control database configuration values (e.g., through compromised credentials or configuration injection) can inject shell commands. For example: - Password: `password"; malicious-command; echo "` - Database name: `db"; rm -rf /; echo "` #### Impact - Remote code execution - System compromise - Data exfiltration #### Recommendation 1. Use environment variables for sensitive values instead of command-line arguments 2. Validate and sanitize all configuration values 3. Use proper escaping for shell arguments 4. Consider using a PostgreSQL library's native dump functionality instead of shell commands #### Example Fix ```typescript import { execFile } from "child_process" import { promisify } from "util" const execFileAsync = promisify(execFile) // Use execFile with proper argument handling const env = { ...process.env, PGPASSWORD: this.config.password } const args = [ "--schema-only", "--host", this.config.host, "--port", this.config.port.toString(), "--username", this.config.user, "--dbname", this.config.database ] try { const { stdout } = await execFileAsync("pg_dump", args, { env }) return stdout } catch (error) { // Handle error } ```

How to fix CVE-2026-25041

To remediate CVE-2026-25041, upgrade the affected package to a fixed version below.

• —upgrade to 3.23.32 or later

Is CVE-2026-25041 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)