CVE-2025-1520: PostHog Plugin Server SQL Injection Vulnerability

April 23, 2025

PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PostHog. Authentication is required to exploit this vulnerability.

The specific flaw exists within the implementation of the SQL parser. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the database account. Was ZDI-CAN-25350.

References

github.com/PostHog/plugin-server
github.com/PostHog/posthog/commit/6e8f035f9acd339c5ba87ba6ea40fc1ab3053d42
github.com/advisories/GHSA-v64v-fq96-c5wv
nvd.nist.gov/vuln/detail/CVE-2025-1520
www.zerodayinitiative.com/advisories/ZDI-25-099

Code Behaviors & Features

Detect and mitigate CVE-2025-1520 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →