Login Sign Up

CVE-2025-12967

8.0 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in AWS Wrappers for Amazon Aurora PostgreSQL allows low-privilege authenticated database users to escalate privileges to the rds_superuser role. Attackers can create crafted functions that execute with permissions of other RDS users, potentially gaining full database control. Organizations using affected AWS wrapper libraries for Aurora PostgreSQL are impacted.

💻 Affected Systems

Products:
  • AWS JDBC Wrapper
  • AWS Go Wrapper
  • AWS NodeJS Wrapper
  • AWS Python Wrapper
  • AWS PGSQL ODBC driver
Versions: All versions before the patched releases
Operating Systems: All platforms running affected wrapper libraries
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Amazon Aurora PostgreSQL instances using the vulnerable AWS wrapper libraries. Requires authenticated database access.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise where attackers gain rds_superuser privileges, allowing them to read/modify all data, create/delete databases, install malicious extensions, and potentially pivot to other AWS resources.

🟠

Likely Case

Data exfiltration, privilege escalation within the database, and unauthorized access to sensitive information stored in the affected Aurora PostgreSQL instances.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access controls, and monitoring are in place, though the vulnerability still presents significant risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated database access and knowledge of PostgreSQL function creation. The advisory suggests the attack involves creating crafted functions that execute with elevated permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: AWS JDBC Wrapper v2.6.5, AWS Go Wrapper 2025-10-17, AWS NodeJS Wrapper v2.0.1, AWS Python Wrapper v1.4.0, AWS PGSQL ODBC driver v1.0.1

Vendor Advisory: https://aws.amazon.com/security/security-bulletins/AWS-2025-028/

Restart Required: Yes

Instructions:

1. Identify all applications using affected AWS wrapper libraries. 2. Update each wrapper to the patched version. 3. Restart applications/services using the updated libraries. 4. Test functionality after update.

🔧 Temporary Workarounds

Restrict Database User Privileges

all

Apply strict least privilege principles to database users, removing CREATE FUNCTION privileges from non-administrative users.

REVOKE CREATE ON SCHEMA public FROM [username];
REVOKE CREATE ON DATABASE [dbname] FROM [username];

🧯 If You Can't Patch

  • Implement strict network access controls to limit database connections to trusted sources only
  • Enhance database monitoring for suspicious function creation and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check the version of AWS wrapper libraries in use by examining application dependencies or package manifests.

Check Version:

Check library version through application dependency management tools (e.g., npm list, pip show, go mod, Maven/Gradle dependencies)

Verify Fix Applied:

Confirm updated wrapper versions are deployed and verify applications function correctly with the new versions.

📡 Detection & Monitoring

Log Indicators:

  • Unusual CREATE FUNCTION statements from non-admin users
  • Privilege escalation attempts to rds_superuser
  • Suspicious function execution patterns

Network Indicators:

  • Unusual database connection patterns from unexpected sources

SIEM Query:

source="postgresql" AND ("CREATE FUNCTION" OR "rds_superuser") AND user!="postgres"

📊 Metadata

CVE ID: CVE-2025-12967
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-470
EPSS Score: 0.13% exploit probability (32.6th percentile)
Published: November 10, 2025
Last Updated: November 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12967, you might also want to check these:

CVE-2025-34393 9.8

This vulnerability in Barracuda Service Center allows attackers to execute arbitrary code remotely b...

Same vulnerability type (CWE-470)
CVE-2025-53693 9.8

This vulnerability allows attackers to poison the cache in Sitecore Experience Manager/Platform by e...

Same vulnerability type (CWE-470)
CVE-2023-6943 9.8

This vulnerability allows remote unauthenticated attackers to execute arbitrary code on affected Mit...

Same vulnerability type (CWE-470)