CVE-2025-12967 is a vulnerability classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code, also known as unsafe reflection) found in AWS Wrappers for Amazon Aurora PostgreSQL, including the JDBC Wrapper, Go Wrapper, NodeJS Wrapper, Python Wrapper, and PGSQL ODBC driver. The flaw allows a low-privilege authenticated user to create a specially crafted function that can execute with the permissions of other Amazon RDS users, including the highly privileged rds_superuser role. This occurs because the wrappers improperly handle externally controlled input that selects classes or code to execute, enabling privilege escalation within the database environment. The vulnerability has a CVSS 4.0 base score of 8.6, indicating high severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is high, as an attacker can gain elevated privileges and potentially control or disrupt database operations. AWS has addressed this vulnerability by releasing updated versions of their wrappers: AWS JDBC Wrapper v2.6.5, Go Wrapper 2025-10-17, NodeJS Wrapper v2.0.1, Python Wrapper v1.4.0, and PGSQL ODBC driver v1.0.1. No public exploits have been reported yet, but the risk remains significant due to the ease of exploitation and potential impact.

The vulnerability allows attackers with low-level authenticated access to escalate privileges to the rds_superuser role, which is the highest privilege level in Amazon RDS PostgreSQL environments. This can lead to full control over the database instance, including the ability to read, modify, or delete sensitive data, create or drop database objects, and interfere with database availability. The elevated privileges also enable attackers to bypass security controls and potentially pivot to other parts of the infrastructure. Organizations relying on Amazon Aurora PostgreSQL with affected wrappers are at risk of severe data breaches, operational disruption, and compliance violations. The network-exploitable nature and lack of required user interaction increase the likelihood of exploitation in hostile environments, especially in multi-tenant or shared environments where multiple users have database access.

Organizations should immediately upgrade all affected AWS Wrappers to the patched versions provided by AWS: JDBC Wrapper to v2.6.5, Go Wrapper to 2025-10-17, NodeJS Wrapper to v2.0.1, Python Wrapper to v1.4.0, and PGSQL ODBC driver to v1.0.1. Additionally, review and restrict database user privileges to the minimum necessary, implement strict authentication and access controls to limit low-privilege user capabilities, and monitor database logs for unusual function creation or privilege escalation attempts. Employ network segmentation and firewall rules to restrict access to RDS instances. Regularly audit wrapper versions and configurations to ensure compliance with security best practices. Consider deploying runtime application self-protection (RASP) or database activity monitoring (DAM) tools to detect and block suspicious behavior related to function execution and privilege escalation.