CVE-2025-1520

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-1520

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1520.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-1520

Aliases

GHSA-v64v-fq96-c5wv

Published

2025-04-23T17:16:52Z

Modified

2025-04-29T14:51:38.643602Z

Summary

[none]

Details

PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PostHog. Authentication is required to exploit this vulnerability.

The specific flaw exists within the implementation of the SQL parser. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the database account. Was ZDI-CAN-25350.

References

Affected packages

Git / github.com/posthog/posthog

Affected ranges

Type: GIT
Repo: https://github.com/posthog/posthog
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6e8f035f9acd339c5ba87ba6ea40fc1ab3053d42

Affected versions

1.*

1.0.0

1.0.1

1.0.10

1.0.10.1

1.0.10.2

1.0.11

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.8.1

1.0.8.2

1.0.8.3

1.0.9

1.1.0

1.1.0.1

1.22.0-beta

1.25.0-beta

Other

list

release-1.*

release-1.22.0-beta