CVE-2025-13780

Name of the Vulnerable Software and Affected Versions pgAdmin versions up to 9.10

Description pgAdmin versions up to 9.10 are susceptible to a Remote Code Execution (RCE) issue when running in server mode and restoring from PLAIN-format dump files. This flaw allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin. The issue arises from a failure in the application's regex filter to properly block dangerous commands hidden within uploaded database files. Specifically, the has meta commands() function used a regex pattern that did not account for carriage return characters (CR), allowing attackers to bypass the filter by inserting CRLF sequences into SQL dump files. This enables the execution of shell commands with the privileges of the pgAdmin process on the host system. Approximately 41,200 instances are exposed. The vulnerability allows attackers to execute shell commands on the host system via crafted restore files. The vulnerable component is the plain-text restore feature.

Recommendations Upgrade to pgAdmin version 9.11 or later.