Security researchers have uncovered multiple critical vulnerabilities in pgAdmin, the leading open-source management tool for PostgreSQL databases.
The most severe issues allow attackers to execute arbitrary code on servers hosting pgAdmin installations, potentially compromising database systems and sensitive data worldwide.
Two New Critical Vulnerabilities Disclosed This Month
The Belgian Centre for Cybersecurity (CCB) issued an urgent warning on April 4, 2025, regarding two newly discovered high-severity vulnerabilities in pgAdmin:
CVE-2025-2945: A Remote Code Execution (RCE) vulnerability in versions up to 9.1, carrying a critical CVSS score of 9.9.
This vulnerability exists in two POST endpoints where user input is unsafely passed to Python’s eval() function, enabling arbitrary code execution with even low-privileged access.
CVE-2025-2946: A Cross-Site Scripting (XSS) vulnerability with a CVSS score of 9.1 that allows attackers to inject arbitrary HTML/JavaScript through query result rendering.
Technical Details of CVE-2025-2945
The RCE vulnerability involves two separate endpoints in pgAdmin:
/sqleditor/query_tool/downloadendpoint: The vulnerability exists where thequery_commitedparameter is passed directly to Python’seval()function without proper validation:
query_commited = (
eval(value) if isinstance(value, str) else value # vulnerable code
)/cloud/deployendpoint: Similarly vulnerable where thehigh_availabilityparameter is unsafe to evaluate:
high_availability = \
'REGIONAL' if eval(args.high_availability) else 'ZONAL' # vulnerable codeThis implementation allows attackers to execute arbitrary Python code on the server by crafting malicious requests to these endpoints.
Earlier RCE Vulnerability Still Presents Risk
Organizations should also be aware of CVE-2024-3116, an earlier RCE vulnerability affecting pgAdmin versions 8.4 and below through the validate binary path API.
This vulnerability, disclosed in April 2024, has since been weaponized with a Metasploit module released in August 2024.
The exploit allows attackers to execute arbitrary code on Windows systems hosting vulnerable pgAdmin installations.
The Exploit Prediction Scoring System (EPSS) estimates an 80.26% probability of exploitation activity for this vulnerability within 30 days following disclosure, placing it in the 99th percentile of all vulnerabilities in terms of exploitation likelihood.
Impact and Exploitation
If successfully exploited, these vulnerabilities could lead to:
- Complete system compromise
- Unauthorized access to sensitive database information
- Service disruption and operational downtime
- Data theft or modification
- Lateral movement within corporate networks
Remediation Steps
Security experts strongly recommend the following actions:
- Immediately upgrade pgAdmin to version 9.2 or newer to address the newest vulnerabilities
- If running an older version affected by CVE-2024-3116, upgrade to at least version 8.5
- Implement network access restrictions to pgAdmin interfaces
- Deploy strong authentication and access controls
- Monitor for suspicious activity targeting the vulnerable endpoints
- Consider network segmentation to limit potential attack surface
Organizations are advised to treat these upgrades as high priority due to the critical nature of the vulnerabilities and their high exploitation potential.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The most severe issues allow attackers to execute arbitrary code on servers hosting pgAdmin installations, potentially compromising database systems.){kind=link}