pREST-o Change-o: Turning REST APIs into Remote Shells via CVE-2025-58450

Amit Schendel

Senior Security Researcher

Jan 2, 2026·6 min read·14 visits

PoC Available

Executive Summary (TL;DR)

pREST, the tool that magically turns PostgreSQL databases into REST APIs, had a magical flaw: it trusted user input to build SQL structure. By manipulating parameters like `_join` and `_returning`, attackers could bypass validation and execute arbitrary SQL, leading to total database compromise. Fixed in version 2.0.0-rc3.

A systemic SQL injection vulnerability in pREST allows unauthenticated remote attackers to execute arbitrary SQL commands via manipulated API parameters. The flaw stems from widespread string concatenation in critical query builders like JOIN and RETURNING clauses.

Attack Flow Diagram

Official Patches

pRESTOfficial patch commit

Fix Analysis (1)

Technical Appendix

CVSS Score

9.3/ 10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS Probability

0.04%

Top 100% most exploited

Affected Systems

pREST API ServerPostgreSQL Databases exposed via pREST

Affected Versions Detail

Product	Affected Versions	Fixed Version
pREST prestd	< 2.0.0-rc3	2.0.0-rc3

Attribute	Detail
CWE ID	CWE-89
Attack Vector	Network
CVSS v4.0	9.3 (Critical)
EPSS Score	0.0004 (Low Confidence)
Impact	Critical (Data Exfiltration, RCE via SQL)
Exploit Status	PoC Available / High Probability

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application

Initial Access

T1059.001Command and Scripting Interpreter: SQL

Execution

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Vulnerability Timeline

Vulnerability identified and Patch Released

2025-01-02

CVE-2025-58450 Assigned

2025-01-02

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.