CVE-2025-2945

CRITICAL9.9EPSS 82.5%

pgAdmin 4 Vulnerable to Remote Code Execution

Published: 4/3/2025Modified: 4/4/2025

Description

Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary code execution. This issue affects pgAdmin 4: before 9.2.

Affected packages (1)

PyPI/pgadmin4from 0, < 9.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-2945
PATCHhttps://github.com/pgadmin-org/pgadmin4
WEBhttps://github.com/pgadmin-org/pgadmin4/commit/75be0bc22d3d8d7620711835db817bd7c021007c
WEBhttps://github.com/pgadmin-org/pgadmin4/issues/8603