CVE-2025-61385: pg8000 SQL injection vulnerability via a specially crafted Python list input

October 27, 2025

SQL injection vulnerability in tlocke pg8000 1.31.4 allows remote attackers to execute arbitrary SQL commands via a specially crafted Python list input to function pg8000.native.literal.

References

codeberg.org/tlocke/pg8000
codeberg.org/tlocke/pg8000/commit/8663c746b02286c32f19c385f0e2e5da9e4fa140
github.com/advisories/GHSA-wq2g-r956-j8cc
github.com/bmcyver/vulnerability-research/tree/main/CVE-2025-61385
nvd.nist.gov/vuln/detail/CVE-2025-61385

Code Behaviors & Features

Detect and mitigate CVE-2025-61385 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →