The widely utilized PostgreSQL administration tool, pgAdmin 4, has recently addressed two significant security vulnerabilities that pose substantial risks to database environments. The latest release, version 9.2, patches critical flaws that could enable remote code execution (RCE) and cross-site scripting (XSS) attacks, demanding immediate attention from users.
CVE-2025-2945: A Gateway to Remote Code Execution
The more severe of the two, CVE-2025-2945, carries a CVSS score of 9.9, indicating critical severity. This vulnerability exposes pgAdmin 4 users, specifically those utilizing the Query Tool and Cloud Deployment modules, to potential remote code execution. The root of the issue lies in the insecure handling of user-supplied parameters within two POST endpoints: /sqleditor/query_tool/download and /cloud/deploy.
Specifically, the query_commited and high_availability parameters, respectively, were being passed directly to Python’s eval() function without proper sanitization. This oversight allows malicious actors to inject and execute arbitrary code on the server, potentially leading to complete system compromise.
The technical detail and a PoC is available here.
CVE-2025-2946: XSS Attacks via Malicious Query Results
Alongside the RCE flaw, pgAdmin 4 versions 9.1 and earlier are vulnerable to a cross-site scripting (XSS) attack, tracked as CVE-2025-2946, with a CVSS score of 9.1. This vulnerability arises from the application’s failure to properly sanitize query results, allowing the execution of arbitrary HTML and JavaScript within the user’s browser.
In essence, if a user executes a query that retrieves data containing malicious JavaScript payloads, pgAdmin 4 renders the result without escaping or sanitizing the embedded scripts. This leads to the immediate execution of the malicious code within the browser, potentially enabling attackers to steal sensitive information, manipulate user sessions, or perform other malicious actions.
To illustrate the XSS vulnerability, consider the following steps:
-
Connect to a database instance using pgAdmin 4.
-
Open the Query Tool.
-
Execute the following SQL commands:
Executing the SELECT statement triggers an alert box, demonstrating the direct execution of the embedded JavaScript. This highlights the critical need for proper sanitization of query results.
Mitigation and Best Practices:
To mitigate these vulnerabilities, users should:
- Immediately upgrade to pgAdmin 4 version 9.2 or later. This version includes the necessary patches to address both CVE-2025-2945 and CVE-2025-2946.
- Implement robust input validation and sanitization practices. Developers should ensure that all user-supplied data is properly sanitized and validated before being processed or displayed.
- Minimize the use of dynamic code execution functions like
eval(). If possible, avoid using such functions altogether. If they are necessary, ensure that inputs are strictly controlled and validated. - Educate users about the risks of XSS attacks. Users should be aware of the potential for malicious code to be embedded in query results and should exercise caution when interacting with database data.
- Conduct regular security audits and penetration testing. These practices can help identify and address potential vulnerabilities before they can be exploited by attackers.
Related Posts:
- CVE-2024-2044: pgAdmin Remote Code Execution Vulnerability
- CVE-2024-2044: pgAdmin Remote Code Execution Vulnerability
- CVE-2023-5002: pgAdmin remote code execution vulnerability
- CVE-2024-9014 (CVSS 9.9): pgAdmin’s Critical Vulnerability Puts User Data at Risk
- CVE-2024-4215 & CVE-2024-4216: Security Flaws Patched in Popular PostgreSQL Tool pgAdmin
