Privilege Escalation in Aurora PostgreSQL using AWS JDBC Wrapper, AWS Go Wrapper, AWS NodeJS Wrapper, AWS Python Wrapper, AWS PGSQL ODBC driver
CVE-2025-12967 is a privilege escalation vulnerability in AWS Wrappers for Amazon Aurora PostgreSQL. A low privilege authenticated user can create a crafted function that executes with the permissions of other Amazon RDS users, potentially escalating to the rds_superuser role. This affects multiple AWS Wrappers including JDBC, Go, NodeJS, Python, and the PGSQL ODBC driver in versions prior to specified fixed releases. AWS has released updated versions to address this issue and recommends upgrading. A workaround involves removing the public schema from the search path.
AI Analysis
Technical Summary
Amazon Aurora PostgreSQL's AWS Wrappers (JDBC, Go, NodeJS, Python, PGSQL ODBC driver) contain a vulnerability (CVE-2025-12967) that allows a low privilege authenticated user to escalate privileges to the rds_superuser role by creating a crafted function executed with other RDS users' permissions. Impacted versions are those prior to AWS JDBC Wrapper 2.6.5, Go Wrapper 2025-10-17, NodeJS Wrapper 2.0.1, Python Wrapper 1.4.0, and PGSQL ODBC driver 1.0.1. AWS recommends upgrading to these fixed versions. A workaround is to remove the public schema from the search path to mitigate risk until upgrades are applied.
Potential Impact
The vulnerability allows privilege escalation to the rds_superuser role within Amazon Aurora PostgreSQL environments using affected AWS Wrappers. This could enable an attacker with low privilege authenticated access to execute functions with elevated permissions, potentially compromising database integrity and security. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
AWS has released fixed versions for all affected wrappers: AWS JDBC Wrapper v2.6.5, Go Wrapper 2025-10-17, NodeJS Wrapper v2.0.1, Python Wrapper v1.4.0, and PGSQL ODBC driver v1.0.1. Customers should upgrade to these versions promptly. As a workaround, removing the public schema from the search path can reduce exposure. Patch status is confirmed as fixed by AWS official advisory.
Privilege Escalation in Aurora PostgreSQL using AWS JDBC Wrapper, AWS Go Wrapper, AWS NodeJS Wrapper, AWS Python Wrapper, AWS PGSQL ODBC driver
Description
CVE-2025-12967 is a privilege escalation vulnerability in AWS Wrappers for Amazon Aurora PostgreSQL. A low privilege authenticated user can create a crafted function that executes with the permissions of other Amazon RDS users, potentially escalating to the rds_superuser role. This affects multiple AWS Wrappers including JDBC, Go, NodeJS, Python, and the PGSQL ODBC driver in versions prior to specified fixed releases. AWS has released updated versions to address this issue and recommends upgrading. A workaround involves removing the public schema from the search path.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Amazon Aurora PostgreSQL's AWS Wrappers (JDBC, Go, NodeJS, Python, PGSQL ODBC driver) contain a vulnerability (CVE-2025-12967) that allows a low privilege authenticated user to escalate privileges to the rds_superuser role by creating a crafted function executed with other RDS users' permissions. Impacted versions are those prior to AWS JDBC Wrapper 2.6.5, Go Wrapper 2025-10-17, NodeJS Wrapper 2.0.1, Python Wrapper 1.4.0, and PGSQL ODBC driver 1.0.1. AWS recommends upgrading to these fixed versions. A workaround is to remove the public schema from the search path to mitigate risk until upgrades are applied.
Potential Impact
The vulnerability allows privilege escalation to the rds_superuser role within Amazon Aurora PostgreSQL environments using affected AWS Wrappers. This could enable an attacker with low privilege authenticated access to execute functions with elevated permissions, potentially compromising database integrity and security. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
AWS has released fixed versions for all affected wrappers: AWS JDBC Wrapper v2.6.5, Go Wrapper 2025-10-17, NodeJS Wrapper v2.0.1, Python Wrapper v1.4.0, and PGSQL ODBC driver v1.0.1. Customers should upgrade to these versions promptly. As a workaround, removing the public schema from the search path can reduce exposure. Patch status is confirmed as fixed by AWS official advisory.
Technical Details
- Article Source
- {"url":"https://aws.amazon.com/security/security-bulletins/rss/aws-2025-028/","fetched":true,"fetchedAt":"2026-05-26T20:30:26.791Z","wordCount":187}
Threat ID: 6a1602f0e29bf47b505da204
Added to database: 5/26/2026, 8:30:40 PM
Last enriched: 5/26/2026, 8:35:56 PM
Last updated: 5/26/2026, 10:50:28 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.