Critical Alert: Exploit in pgAdmin 4 Allows High-Risk Remote Code Execution

A recently discovered critical security flaw in pgAdmin 4, the premier PostgreSQL database management tool, enables attackers to execute remote code on the compromised systems.

Overview of the Exploit

The vulnerability, identified as CVE-2025-2945, carries a critical CVSS score of 9.9. It impacts all pgAdmin 4 versions prior to 9.2, which have two specific vulnerable POST endpoints: /sqleditor/query_tool/download and /cloud/deploy.

The issue arises from improper handling of untrusted user input, which is passed directly to Python’s eval() function, bypassing adequate validation or sanitization.

Detailed Analysis of Flaws

The Centre for Cybersecurity Belgium issued an emergency advisory, notifying about the potential consequences such as data breaches, complete system compromise, and significant operational disruptions across critical business services.

Exploitation and Risks

Here’s what attackers achieve through these vulnerabilities:

• Execution of arbitrary code under the pgAdmin process’s privileges.
• Potential access and theft of sensitive database content.
• Installation of backdoors for persistent access.
• Lateral movements within the network to attack more systems.
• Privilege escalation, particularly if pgAdmin runs with elevated rights.

Security Recommendations and Fixes

Post discovery, the development team promptly released pgAdmin version 9.2 which eliminates the exploitable use of eval() and strengthens input validation methods. The update was made available within just 24 hours after the exploit was reported.

The Centre for Cybersecurity Belgium advises:

• Immediate upgrade to the latest pgAdmin 4 version.
• Enhanced monitoring and detection to spot and respond to suspicious activities swiftly.
• Rigorous testing before deploying the update in live environments.

While updating mitigates future risks, organizations are encouraged to inspect for any signs of previous compromises and engage with cybersecurity authorities as needed.

Note: Updating to the new version ensures protection against potential threats but does not address any impact from past breaches.

Additional Security Concerns

Alongside the primary RCE flaw, a secondary risk was identified – CVE-2025-2946, a Cross-Site Scripting (XSS) vulnerability with a CVSS score of 9.1. It allows attackers to manipulate query results through illicit HTML and JavaScript injections.