CVE-2025-2945

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions prior to 9.2

Description The issue is a remote code execution security vulnerability in pgAdmin 4, affecting the Query Tool and Cloud Deployment modules. It is associated with two POST endpoints: "/sqleditor/query tool/download" where the query commited parameter, and "/cloud/deploy" where the high availability parameter is passed unsafely to the Python eval() function, allowing arbitrary code execution. This vulnerability can be exploited by sending a specially crafted POST request, potentially allowing full server takeover, execution of arbitrary commands, and lateral movement within the infrastructure. The estimated number of potentially affected devices is over 41,000.

Recommendations To resolve the issue, update pgAdmin 4 to version 9.2 or later. As a temporary workaround, consider restricting access to the vulnerable endpoints "/sqleditor/query tool/download" and "/cloud/deploy" to minimize the risk of exploitation. Additionally, avoid using the query commited and high availability parameters in the affected API endpoints until the issue is resolved.