A critical SQL injection vulnerability, identified as CVE-2025-61385 with a CVSS score of 9.6, has been discovered in the tlocke pg8000 Python library. This flaw allows a remote, unauthenticated attacker to execute arbitrary commands on the underlying database, potentially leading to a complete compromise of data confidentiality, integrity, and availability. Organizations using the affected library are at immediate risk of data theft, modification, or deletion.

The vulnerability exists within the pg8000.native.literal function, which is responsible for formatting Python objects for use in SQL queries. The function improperly sanitizes specially crafted Python list inputs. An attacker can supply a malicious list that, when processed, breaks out of the intended SQL statement structure and injects arbitrary SQL commands. Successful exploitation does not require authentication and can be achieved by any remote attacker who can control input that is passed to this function by a web application or other service.

This vulnerability is rated as critical severity with a CVSS score of 9.6. Successful exploitation could have a catastrophic impact on the business. An attacker could exfiltrate, modify, or delete entire databases containing sensitive information such as customer data, financial records, and intellectual property. This could lead to severe financial losses, significant reputational damage, operational disruption, and potential legal and regulatory penalties for non-compliance with data protection standards (e.g., GDPR, CCPA). In some database configurations, this vulnerability could also be leveraged to gain command execution on the underlying server, resulting in a full system compromise.

Immediate Action: All systems utilizing the vulnerable tlocke pg8000 library must be updated immediately to the latest patched version as recommended by the vendor. After patching, it is crucial to monitor application and database logs for any signs of attempted or successful exploitation that may have occurred prior to remediation.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise, including:

• Reviewing database logs for unusual or unauthorized SQL queries, such as UNION statements, DROP TABLE commands, or queries containing reconnaissance functions (e.g., version(), user()).
• Analyzing web application logs for suspicious input patterns targeting the vulnerable function.
• Monitoring network traffic for anomalous data egress from database servers, which could indicate data exfiltration.

Compensating Controls: If immediate patching is not feasible, the following temporary measures can help mitigate risk:

• Deploy or configure a Web Application Firewall (WAF) with strict SQL injection rule sets to inspect and block malicious requests before they reach the application.
• Enforce the principle of least privilege for the database user account connected to the application, restricting its permissions to the absolute minimum required for normal operation.
• Implement robust input validation and sanitization at the application layer as a defense-in-depth measure.

Public Exploit Available: false

Given the critical severity of CVE-2025-61385, organizations are strongly advised to treat this vulnerability with the highest priority. The potential for complete database compromise presents an unacceptable risk. All system owners must immediately identify assets running the vulnerable pg8000 library and apply the vendor-supplied patches without delay. While this vulnerability is not yet on the CISA KEV list, its high impact score indicates it is a prime candidate for future inclusion and should be remediated with the utmost urgency.