{"id":3107,"date":"2025-04-07T10:03:51","date_gmt":"2025-04-07T10:03:51","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/04\/07\/critical-pgadmin-vulnerability-let-attackers-execute-remote-code\/"},"modified":"2025-04-07T10:03:51","modified_gmt":"2025-04-07T10:03:51","slug":"critical-pgadmin-vulnerability-let-attackers-execute-remote-code","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/04\/07\/critical-pgadmin-vulnerability-let-attackers-execute-remote-code\/","title":{"rendered":"Critical pgAdmin Vulnerability Let Attackers Execute Remote Code"},"content":{"rendered":"

Critical pgAdmin Vulnerability Let Attackers Execute Remote Code
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical security vulnerability discovered in pgAdmin 4, the most widely used management tool for PostgreSQL databases<\/a>, is allowing attackers to execute arbitrary code on affected systems.\u00a0<\/p>\n

Security researchers have disclosed details of CVE-2025-2945, a severe Remote Code Execution (RCE) vulnerability with a CVSS score of 9.9, indicating the highest level of severity.<\/p>\n

The vulnerability affects all versions of pgAdmin 4 prior to 9.2, which was released on April 4, 2025. The security flaw exists in two separate POST endpoints: \/sqleditor\/query_tool\/download and \/cloud\/deploy.\u00a0<\/p>\n

Both endpoints contain dangerous implementations that pass untrusted user input directly to Python\u2019s eval() function without proper validation or sanitization.<\/p>\n

The Centre for Cybersecurity Belgium (CCB) issued an urgent advisory on April 4, warning that exploitation could lead to \u201cdata breaches, system compromise, and operational downtime impacting confidentiality, integrity, and availability of critical businesses.\u201d<\/p>\n

\npgAdmin Vulnerability<\/strong> Details<\/strong>
\n<\/h2>\n

In the \/sqleditor\/query_tool\/download\/<int:trans_id> endpoint, the vulnerability lies in how the application processes the query_commited parameter:<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

This implementation allows attackers to send malicious Python code<\/a> that will be executed on the server. For example, a simple malicious request could look like:<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

Similarly, in the \/cloud\/deploy endpoint, the high_availability parameter is directly passed to eval():<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

This allows attackers to craft malicious requests that can execute arbitrary code on the server, potentially leading to complete system compromise.<\/p>\n

The summary of the vulnerability is given below:<\/p>\n

\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Affected Products<\/td>\npgAdmin 4 versions prior to 9.2, including Query Tool and Cloud Deployment modules.<\/td>\n<\/tr>\n
Impact<\/td>\nRemote Code Execution (RCE)<\/td>\n<\/tr>\n
Exploit Prerequisites<\/td>\nLow-privileged authenticated access- Ability to send crafted POST requests to vulnerable endpoints (\/sqleditor\/query_tool\/download and \/cloud\/deploy)<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\n9.9 (Critical)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Impact and Exploitation<\/strong><\/h2>\n

Security experts have confirmed that successful exploitation requires authentication, but once achieved, attackers can:<\/p>\n