Remote Code Execution Vulnerability in pgAdmin 4 by pgAdmin Team
CVE-2025-2945

9.9CRITICAL

Key Information:

Vendor

Pgadmin.org

Status
Pgadmin 4
Vendor
CVE Published:
3 April 2025

Badges

📈 Score: 1,410👾 Exploit Exists🟡 Public PoC🟣 EPSS 59%📰 News Worthy

What is CVE-2025-2945?

CVE-2025-2945 is a remote code execution vulnerability found in pgAdmin 4, a popular open-source administration and management tool for PostgreSQL databases. This product is designed to facilitate database management tasks but is hindered by a flaw that allows attackers to execute arbitrary code remotely. If exploited, this vulnerability could severely compromise the security of an organization’s database environment, leading to unauthorized access, data manipulation, or system control.

Technical Details

The vulnerability is associated with two specific POST endpoints in pgAdmin 4: /sqleditor/query_tool/download and /cloud/deploy. The root cause involves the unsafe handling of parameters, specifically query_commited and high_availability, which are passed to the Python eval() function without adequate validation. This oversight allows attackers to inject malicious code, resulting in potential remote code execution when these endpoints are called.

This issue affects all versions of pgAdmin 4 prior to version 9.2.

Potential Impact of CVE-2025-2945

  1. Unauthorized System Access: Attackers exploiting this vulnerability can gain unauthorized access to critical backend systems, potentially allowing them to manipulate databases or exfiltrate sensitive data.

  2. Data Integrity Compromise: With the capability to execute arbitrary code, adversaries could alter or corrupt database entries, leading to significant data integrity issues and operational disruptions.

  3. Increased Attack Surface: Successful exploitation could provide attackers with a foothold in the network, enabling further attacks or even the deployment of malware, thereby escalating risks within the organization’s IT infrastructure.

Affected Version(s)

pgAdmin 4 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

pgAdminOpendoor
Created by I3r1h0n

cve-2025-2945-poc
Created by Cycloctane

News Articles

favicon imagewiz.io

CVE-2025-2945 Impact, Exploitability, and Mitigation Steps | Wiz

Understand the critical aspects of CVE-2025-2945 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.

References

https://github.com/pgadmin-org/pgadmin4/issues/8603
issue-tracking

EPSS Score

59% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by wiz.io

  • Vulnerability published

  • Vulnerability Reserved

JSON
.