Severity: Critical (CVSS v4.0 base 9.3)

Affected: pREST < 2.0.0-rc3
Type: SQL Injection (CWE-89)

Primary sources: NVD record, GitHub security advisory, and early vendor/analyst coverage. NVDGitHub+1attackerkb.com

1) What’s vulnerable & why it matters

pREST provides a RESTful API directly over PostgreSQL. CVE-2025-58450 is described as a systemic SQLi across routes, enabling unauthenticated attackers to craft requests that are concatenated into SQL without proper neutralization. On Internet-facing deployments this can translate into full data exfiltration, credential theft, and data/metadata manipulation. GitHubattackerkb.com

• Score/Vector (CVSS v4.0): AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H → 9.3 (Critical).
  Documented in the CVE CNA (GitHub) metadata published to NVD. NVDapp.opencve.io

• Fixed in: 2.0.0-rc3 (see vendor advisory & patch commit). GitHub

2) Likely attack paths (based on pREST design)

• Query/Filter parameters that map directly to SQL WHERE/ORDER/LIMIT constructs.

• Route-bound resources (e.g., /api/<schema>/<table>) that accept raw expressions.

• Function-style endpoints where input becomes arguments in SQL calls.
  These are the typical hotspots for REST-to-SQL frameworks and are called out in the GitHub advisory as systemic injection surfaces. GitHub

3) Detection & hunting guidance (SOC runbook)

HTTP indicators

• Spikes of requests against /api/* with suspicious operators (--, /*…*/, '||', ;, cast(, extractvalue, pg_sleep, pg_read_file, etc.).

• Unusual error strings in responses (e.g., “syntax error at or near…”, PostgreSQL error codes).

Database indicators

• Unexpected long-running queries or time-based probes (e.g., pg_sleep() patterns).

• Access to sensitive catalog tables (e.g., pg_authid, pg_user, pg_shadow) from API roles.

• DDL/DCL statements issued by the application role outside normal release windows.

SIEM queries (examples)

• Reverse proxy / WAF logs: search for requests to /api/ with metacharacters [';]|--|/\*|\bpg_[a-z]+ (tune per env).

• PostgreSQL logs: statement ~ '(pg_read_file|pg_sleep|pg_write_file|COPY\s+\(SELECT)' with the app role.

(Adapt these to Splunk/Elastic/Cloud SIEM; enable statement logging for the pREST role in containment windows.)

4) Exploitation likelihood

• Low complexity, remote, no auth per CVSS vector → internet-exposed instances are high risk.

• Early reports note working repros against default Docker setups (JWT off) in test environments. Treat as exploitable until fully patched. GitHub

5) Mitigation & remediation

Patch now

• Upgrade pREST to ≥ 2.0.0-rc3 immediately; this release contains the vendor fixes referenced in the advisory. GitHub

Exposure hardening

• If you must run interim:

  • Place pREST behind an authN/authZ gateway (OAuth2/OIDC) so no unauthenticated SQL paths exist.

  • Enforce parameter allow-lists (safe columns/ops only) via reverse proxy (e.g., Apache/Nginx with Lua, or API gateway policies).

  • Turn on a WAF rule set for SQLi (operators, stacked queries, comments); log and block. (WAF alone is not a fix.)

Database safeguards

• Restrict the pREST DB role to read-only where possible; never SUPERUSER.

• Revoke access to sensitive catalogs; use SECURITY DEFINER wrappers only if audited.

• Enable pg_log_statement=ddl (temporarily all during incident response) and rotate credentials.

Secrets & tokens

• If the instance has been reachable from the internet, assume exposure: rotate DB credentials, any JWT/Basic credentials, and upstream API keys used by pREST.

6) Validation after patch

• Run the vendor’s reproduction steps (from the advisory) against your patched instance; all previously successful payloads should now fail with 400/403 or sanitized SQL. GitHub

• Snapshot DB audit logs for the change window; verify no residual risky queries are executed by the app role.

7) Business impact & risk notes for leadership

• pREST commonly fronts customer data and internal operational tables; systemic SQLi implies potential data integrity loss and breach notification obligations.

• Treat this as a material risk where PCI/PHI/PII is stored; engage legal/compliance for potential reporting thresholds.

8) References / further reading

• NVD CVE-2025-58450 (record just published). NVD

• GitHub Security Advisory (GHSA-p46v-f2x8-qp98) with fix and reproduction guidance. GitHub

• AttackerKB summary (threat-focused synopsis). attackerkb.com

• Community trackers/feeds (OpenCVE, feeds, social). app.opencve.ioX (formerly Twitter)

#CyberDudeBivash #CVE202558450 #pREST #SQLInjection #PostgreSQL #APIsecurity #ThreatIntel #XDR #SIEM #AdSenseProof #HighCPC