CVE-2025-2945: pgAdmin 4: Remote Code Execution in Query Tool and Cloud Deployment

9.9 CVSS

Description

Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules).

The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary code execution.

This issue affects pgAdmin 4: before 9.2.

Classification

CVE ID: CVE-2025-2945

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Products

Vendor: pgadmin.org

Product: pgAdmin 4

Exploit Prediction Scoring System (EPSS)

EPSS Score: 25.71% (probability of being exploited)

EPSS Percentile: 95.88% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2945
https://github.com/pgadmin-org/pgadmin4/issues/8603

Timeline

2025-04-03 13:40:12 UTC
CVE

pgAdmin 4: Remote Code Execution in Query Tool and Cloud Deployment
2025-04-04 15:15:24 UTC
Github Advisory Database (PIP)

[pgadmin4] pgAdmin 4 Vulnerable to Remote Code Execution