It's absolutely trivial. Don't run as superuser, done.
Again, there is no vulnerability to prevent from. If you explicitly allow superusers to log in remotely, they can do superuser things. Just like if you allow "root" to ssh in remotely, people can use that to ssh in as "root" and do root level things like delete your files.
(The report is of course also simply factually incorrect, because the pg_read_server_files role has exactly nothing to do with it. Which is also clearly documented. And you can even tell from the name that it's about reading files)
This is not a security vulnerability in the product. It is behaving exactly as intended. It may be misconfigured in some deployments, but it's not a product vulnerability.
Sonatype Nexus Audior is reporting the following Threat level 9 vulnerability on Postgres
Vulnerability
Issue CVE-2019-9193 Severity Sonatype CVSS 3.0: 9.8 Weakness Sonatype CWE: 94 Source National Vulnerability Database Categories Data
Description
Description from CVE In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_read_server_files' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS.
