Privilege Escalation in Aurora PostgreSQL using AWS JDBC Wrapper, AWS Go Wrapper, AWS NodeJS Wrapper, AWS Python Wrapper, AWS PGSQL ODBC driver

Posted on: Nov 10, 2025

Bulletin ID: AWS-2025-028
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2025/11/10 10:15 AM PDT

Description:

Amazon Aurora PostgreSQL a fully managed relational database engine that's compatible with PostgreSQL.

We identified CVE-2025-12967, an issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.

Impacted versions:

• AWS JDBC Wrapper <2.6.5
• AWS Go Wrapper <2025-10-17
• AWS NodeJS Wrapper <2.0.1
• AWS Python Wrapper <1.4.0
• AWS ODBC driver <1.0.1

Resolution:

We recommend customers upgrade to the following versions:

• AWS JDBC Wrapper to v2.6.5
• AWS Go Wrapper to 2025-10-17
• AWS NodeJS Wrapper to v2.0.1
• AWS Python Wrapper to v1.4.0
• AWS PGSQL ODBC driver to v1.0.1

Workarounds:

Remove the public schema from the search path.

References:

• CVE-2025-12967
• GHSA-4jvf-wx3f-2x8q
• GHSA-7xw4-g7mm-r4hh
• GHSA-q327-fgm8-7mxf
• GHSA-7wq2-32h4-9hc9
• GHSA-8wj8-cfxr-9374

Please email aws-security@amazon.com with any security questions or concerns.