Hi
I have a working Moodle on postgresql 16.6
Unfortunately, but I can't upgrade postgres in the near future.
I wonder if this vulnerability can affect the security of Moodle?
I have performed an analysis:
CVE-2025-1094: https://www.postgresql.org/support/security/CVE-2025-1094/
Function Purpose: PostgreSQL provides functions such as PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() and PQescapeStringConn() to “escape” (i.e. correctly handle) strings entered by users. In this way, they protect against so-called SQL injection - a situation in which a malicious user could inject additional, unauthorized SQL commands.
The problem: In certain cases, when an application uses the result of these functions to build SQL queries (e.g. for an interactive psql terminal or command-line tools), improper neutralization may not work. As a result, a malicious user can manipulate the input data to insert their own SQL fragments into the query.
Coding context: Specifically, the vulnerability occurs when specific encoding sets are used - for example, when the client's encoding is BIG5 and the server's is one of EUC_TW or MULE_INTERNAL. It is with these configurations that the functions fail to fully neutralize characters.
In my opinion, Moodle, as a system written in PHP, does not directly call functions such as PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() or PQescapeStringConn(). Instead, Moodle uses the database abstraction layer and PHP extensions (such as pgsql or PDO_PGSQL)
What do you think about it?