CVE-2025-58450: pREST has a Systemic SQL Injection Vulnerability

September 8, 2025 (updated September 10, 2025)

pREST provides a simple way for users to expose access their database via a REST-full API. The project is implemented using the Go programming language and is designed to expose access to Postgres database tables.

During an independent review of the project, Doyensec engineers found that SQL injection is a systemic problem in the current implementation (version v2.0.0-rc2). Even though there are several instances of attempts to sanitize user input and mitigate injection attempts, we have found that on most code-paths, the protection is faulty or non-existent.

References

github.com/advisories/GHSA-p46v-f2x8-qp98
github.com/prest/prest
github.com/prest/prest/commit/47d02b87842900f77d76fc694d9aa7e983b0711c
github.com/prest/prest/security/advisories/GHSA-p46v-f2x8-qp98
nvd.nist.gov/vuln/detail/CVE-2025-58450

Code Behaviors & Features

Detect and mitigate CVE-2025-58450 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →