CVE-2025-58450
9.30.04%
pREST-o Change-o: Turning REST APIs into Remote Shells via CVE-2025-58450
Amit Schendel
Senior Security ResearcherJan 2, 2026·6 min read·17 visits
PoC Available
Executive Summary (TL;DR)
pREST, the tool that magically turns PostgreSQL databases into REST APIs, had a magical flaw: it trusted user input to build SQL structure. By manipulating parameters like `_join` and `_returning`, attackers could bypass validation and execute arbitrary SQL, leading to total database compromise. Fixed in version 2.0.0-rc3.
A systemic SQL injection vulnerability in pREST allows unauthenticated remote attackers to execute arbitrary SQL commands via manipulated API parameters. The flaw stems from widespread string concatenation in critical query builders like JOIN and RETURNING clauses.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
9.3/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NEPSS Probability
0.04%
Top 100% most exploited
Affected Systems
pREST API ServerPostgreSQL Databases exposed via pREST
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
pREST prestd | < 2.0.0-rc3 | 2.0.0-rc3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-89 |
| Attack Vector | Network |
| CVSS v4.0 | 9.3 (Critical) |
| EPSS Score | 0.0004 (Low Confidence) |
| Impact | Critical (Data Exfiltration, RCE via SQL) |
| Exploit Status | PoC Available / High Probability |
MITRE ATT&CK Mapping
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Vulnerability Timeline
Vulnerability identified and Patch Released
2025-01-02
CVE-2025-58450 Assigned
2025-01-02