V
Scaner-VS
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
CVE-2025-2945
CVE
HighConfirmedExploit available

Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with t…

CVSS
8.8
High
EPSS
0.39
p98
Published
2025-01-01
Updated
2025-01-01
Description

Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary code execution. This issue affects pgAdmin 4: before 9.2.

Tags · CWE
CWE-94
CAPEC-35
CAPEC-77
CAPEC-242
Affected products
Pgadmin_4 < 9.2
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Timeline
2025-01-01
Published
2025-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: L
Low (L)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: H
High (H)
Integrity Impact
I: H
High (H)
Availability Impact
A: H
High (H)
Exploit indicators
EPSS
0.391 · p98
Known exploited (KEV)
No
MITRE ATT&CK
Inferred via CAPEC
└ via CAPEC-35 · CWE-94
└ via CAPEC-35 · CWE-94
└ via CAPEC-35 · CWE-94
Known exploits — Сканер-ВС
CVE-2025-2945
github-poc · https://github.com/plur1bu5/CVE-2025-2945-pgadmin-rce
Enterprise
Affected products
ProductVendorStatus
Tracked
pgadmin4Tracked
pgadmin_4*Tracked
Source databases
ANC
DEB
CVE
Related vulnerabilities