Miggo Logo

CVE-2025-61385: pg8000 SQL injection vulnerability via a specially crafted Python list input

N/A

CVSS Score

Basic Information

EPSS Score
-
Published
10/27/2025
Updated
10/27/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
pg8000pip<= 1.31.41.31.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis is based on the detailed vulnerability description provided, which explicitly names the vulnerable function pg8000.native.literal and the nature of the vulnerability (SQL injection via crafted list input). Despite being unable to fetch the specific commit patch due to accessibility issues with the provided URLs, the description provides sufficient detail to identify the vulnerable function with a high degree of confidence. The root cause of the vulnerability is the improper handling of list inputs within the literal function, which allows for the injection of malicious SQL code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

SQL inj**tion vuln*r**ility in tlo*k* p***** *.**.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry SQL *omm*n*s vi* * sp**i*lly *r**t** Pyt*on list input to *un*tion p*****.n*tiv*.lit*r*l.

Reasoning

T** *n*lysis is **s** on t** **t*il** vuln*r**ility **s*ription provi***, w*i** *xpli*itly n*m*s t** vuln*r**l* *un*tion `p*****.n*tiv*.lit*r*l` *n* t** n*tur* o* t** vuln*r**ility (SQL inj**tion vi* *r**t** list input). **spit* **in* un**l* to **t**