CVE-2025-2945

Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary code execution. This issue affects pgAdmin 4: before 9.2.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/pgadmin-org/pgadmin4/issues/8603

Configurations

No configuration.

History

07 Apr 2025, 14:18

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad de seguridad de ejecución remota de código en pgAdmin 4 (módulos Herramienta de consulta e Implementación en la nube). La vulnerabilidad está asociada con los dos endpoints POST: /sqleditor/query_tool/download, donde el parámetro query_commited, y /cloud/deploy, donde el parámetro high_availability se pasa de forma insegura a la función eval() de Python, lo que permite la ejecución de código arbitrario. Este problema afecta a pgAdmin 4: versiones anteriores a la versión 9.2.

03 Apr 2025, 18:15

Type	Values Removed	Values Added
CWE		CWE-94

03 Apr 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-03 13:15

Updated : 2025-04-07 14:18

NVD link : CVE-2025-2945

Mitre link : CVE-2025-2945

CVE.ORG link : CVE-2025-2945

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.9 /10