Simon Willison 12/18/2025

Inside PostHog: How SSRF, a ClickHouse SQL Escaping 0day, and Default PostgreSQL Credentials Formed an RCE Chain

Read Original

A detailed breakdown of a sophisticated Remote Code Execution (RCE) vulnerability chain discovered in the PostHog analytics platform. The attack combined a Server-Side Request Forgery (SSRF) via webhooks, a zero-day SQL escaping bug in ClickHouse's PostgreSQL function, and default database credentials to execute shell commands on an internal PostgreSQL server, ultimately enabling a reverse shell.

0 comments
#postgresql #sql injection #Clickhouse
Inside PostHog: How SSRF, a ClickHouse SQL Escaping 0day, and Default PostgreSQL Credentials Formed an RCE Chain

Comments

No comments yet

Be the first to share your thoughts!

Browser Extension

Get instant access to AllDevBlogs from your browser

Top of the Week

1
React vs Browser APIs (Mental Model)
Jivbcoop 4 votes
2
React, useEffect, and Stale Closures: How to Avoid Them with Dependencies and useRef
Jivbcoop 3 votes
3
Better react-hook-form Smart Form Components
Maarten Hus 2 votes
4
Building Type-Safe Compound Components
TkDodo Dominik Dorfmeister 2 votes
5
Dew Drop – January 15, 2026 (#4583)
Alvin Ashcraft 1 votes
6
Using Browser Apis In React Practical Guide
Jivbcoop 1 votes
7
Building a Complete FIRE Calculator App with GitHub Copilot in One Chat Session
James Montemagno 1 votes