{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-69662", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T18:22:26.627Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-01-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-30T18:54:57.334Z"}, "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://aydinnyunus.github.io/2025/12/27/sql-injection-geopandas/"}, {"url": "https://github.com/geopandas/geopandas/pull/3681"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T19:18:06.820578Z", "id": "CVE-2025-69662", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T19:18:50.711Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00025.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-21T18:22:26.627Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00025.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-21T18:22:26.627Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69662", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-30T19:18:06.820578Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T19:14:57.482Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://aydinnyunus.github.io/2025/12/27/sql-injection-geopandas/"}, {"url": "https://github.com/geopandas/geopandas/pull/3681"}], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-30T18:54:57.334Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69662", "state": "PUBLISHED", "dateUpdated": "2026-04-21T18:22:26.627Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-01-30T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:geopandas:geopandas:*:*:*:*:*:python:*:*", "matchCriteriaId": "24630160-48DA-4222-AF38-862C18B635C9", "versionEndExcluding": "1.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en geopandas anterior a la v.1.1.2 permite a un atacante obtener informaci\u00f3n sensible a trav\u00e9s de la funci\u00f3n to_postgis() que se utiliza para escribir GeoDataFrames en una base de datos PostgreSQL."}], "id": "CVE-2025-69662", "lastModified": "2026-04-21T19:16:16.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-30T19:16:11.967", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://aydinnyunus.github.io/2025/12/27/sql-injection-geopandas/"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/geopandas/geopandas/pull/3681"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00025.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:13:15.286742+00:00", "value": {"mitigation_remediation": ["Upgrade geopandas to version 1.1.2 or later to eliminate the SQL injection flaw. ", "Sanitize or validate all data passed to to_postgis, ensuring that only safe, parameterized inputs reach the database layer. ", "Configure the PostgreSQL user used by geopandas to have the minimal privileges necessary\u2014ideally only INSERT and SELECT on the target tables\u2014and monitor database logs for unexpected activity."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "Any installation of geopandas older than version 1.1.2 that uses the to_postgis() routine to persist data into PostgreSQL is affected. The impact is confined to environments where geopandas is executed with code that can influence the arguments passed to the function\u2014such as custom scripts, data pipelines, or web services that expose data ingestion endpoints.", "description_and_impact": "Geopandas, an open\u2011source Python library for geospatial data, contains a flaw in its to_postgis() function that allows an attacker to inject arbitrary SQL when writing GeoDataFrames to a PostgreSQL database. The vulnerability is a classic input validation failure (CWE\u201189) and permits a malicious actor to obtain data that the database had stored, potentially leaking sensitive geospatial records. The CVE description does not state that destructive writes are possible, so the impact is limited to unauthorized read access as described.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.6, indicating high severity. The EPSS score is reported as less than 1%, suggesting a low likelihood of exploitation under normal circumstances, and it is not listed in the CISA KEV catalog. While the exploit requires some level of code execution or data injection capability, the most likely pathway is through local code that utilizes to_postgis(); in shared or public services, an attacker could supply crafted data that is then written to the database. The risk is primarily the potential exposure of confidential geospatial content rather than denial of service or integrity loss."}}}}, "created": "2026-02-02T09:27:25.219704+00:00", "title": "Unauthorized SQL Injection via geopandas to_postgis()", "updated": "2026-04-22T12:15:16.039334+00:00", "vendors": ["geopandas", "geopandas$PRODUCT$geopandas"]}