Critical pgAdmin Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability discovered in pgAdmin 4, the most widely used management tool for PostgreSQL databases, is allowing attackers to execute arbitrary code on affected systems. 

Security researchers have disclosed details of CVE-2025-2945, a severe Remote Code Execution (RCE) vulnerability with a CVSS score of 9.9, indicating the highest level of severity.

The vulnerability affects all versions of pgAdmin 4 prior to 9.2, which was released on April 4, 2025. The security flaw exists in two separate POST endpoints: /sqleditor/query_tool/download and /cloud/deploy. 

Both endpoints contain dangerous implementations that pass untrusted user input directly to Python’s eval() function without proper validation or sanitization.

The Centre for Cybersecurity Belgium (CCB) issued an urgent advisory on April 4, warning that exploitation could lead to “data breaches, system compromise, and operational downtime impacting confidentiality, integrity, and availability of critical businesses.”

pgAdmin Vulnerability Details

In the /sqleditor/query_tool/download/ endpoint, the vulnerability lies in how the application processes the query_commited parameter:

This implementation allows attackers to send malicious Python code that will be executed on the server. For example, a simple malicious request could look like:

Similarly, in the /cloud/deploy endpoint, the high_availability parameter is directly passed to eval():

This allows attackers to craft malicious requests that can execute arbitrary code on the server, potentially leading to complete system compromise.

The summary of the vulnerability is given below:

Impact and Exploitation

Security experts have confirmed that successful exploitation requires authentication, but once achieved, attackers can:

• Execute arbitrary code with the permissions of the pgAdmin process.
• Access, modify, or exfiltrate sensitive data from PostgreSQL databases.
• Establish persistent access through backdoors.
• Move laterally within the network to compromise additional systems.
• Escalate privileges if pgAdmin is running with elevated permissions.

Alongside the RCE vulnerability, researchers also identified CVE-2025-2946, a Cross-Site Scripting (XSS) vulnerability with a CVSS score of 9.1. 

This flaw allows attackers to inject arbitrary HTML and JavaScript through query result rendering in both the Query Tool and View/Edit Data features.

The pgAdmin development team has released version 9.2, which removes the dangerous use of eval() functions and implements proper input validation.

The patch was released within 24 hours of the vulnerability being reported.

The CCB strongly recommends organizations to:

• Immediately update to pgAdmin 4 version 9.2.
• Increase monitoring and detection capabilities to identify suspicious activities.
• Conduct thorough testing before deploying updates in production environments.

“While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise,” warns the CCB.

Organizations using pgAdmin four are urged to check for signs of compromise and report any security incidents to their respective cybersecurity authorities.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free

The post Critical pgAdmin Vulnerability Let Attackers Execute Remote Code appeared first on Cyber Security News.