Critical Security Flaws in pgAdmin Threaten PostgreSQL Servers Worldwide

Listen to this Post

Introduction:

pgAdmin, the most widely used open-source management tool for PostgreSQL databases, has recently been found to contain several severe security vulnerabilities. These flaws expose millions of systems globally to serious cyber threats, including remote code execution and cross-site scripting attacks. With the potential to compromise databases, steal sensitive data, and disrupt services, the urgency for action is high. The Belgian Centre for Cybersecurity (CCB) has issued a critical advisory to warn developers, system administrators, and organizations running pgAdmin to patch their systems immediately.

the Vulnerabilities ():

Security researchers have discovered multiple critical vulnerabilities in pgAdmin, posing serious risks to PostgreSQL database infrastructures around the world.

  • On April 4, 2025, the Belgian Centre for Cybersecurity (CCB) disclosed two critical vulnerabilities in pgAdmin.
  • CVE-2025-2945 is a Remote Code Execution (RCE) vulnerability with a CVSS score of 9.9, found in versions up to 9.1.
  • It allows attackers to exploit unsafe usage of Python’s eval() function in POST endpoints to execute arbitrary code.

– The vulnerable endpoints are:

– `/sqleditor/query_tool/download` – unsafe use of `query_commited`

– `/cloud/deploy` – improper evaluation of `high_availability` parameter

  • Attackers can send crafted requests and gain control over the pgAdmin server, even with low-level access.

  • The second vulnerability, CVE-2025-2946, is an XSS flaw with a CVSS score of 9.1.

  • It enables attackers to inject malicious HTML or JavaScript through query result rendering, potentially leading to session hijacking and data leakage.

  • In addition, CVE-2024-3116, an earlier RCE vulnerability disclosed in April 2024, still threatens systems running pgAdmin version 8.4 or lower.

  • This exploit has been weaponized via a Metasploit module since August 2024.
  • The EPSS scores its exploitation risk at 80.26%, ranking it among the most likely-to-be-exploited bugs globally.

Potential Impact:

If successfully exploited, these vulnerabilities could result in:

– Total system compromise

– Unauthorized access to database contents

– Downtime and service outages

– Data theft or corruption

– Lateral network movement for deeper attacks

Recommendations for Remediation:

Security experts strongly advise:

– Immediate upgrade to pgAdmin 9.2 or later

  • If vulnerable to CVE-2024-3116, upgrade to at least version 8.5

– Restrict network access to pgAdmin interfaces

– Enforce multi-factor authentication and granular access controls

  • Monitor for unusual activity on the affected endpoints

– Segment networks to contain breaches

Given the severity and exploitability of these bugs, patching should be treated as an urgent priority.

What Undercode Say: (40-Line Analysis)

From a security engineering perspective, these pgAdmin vulnerabilities reveal recurring risks in software development where dynamic code execution is misused — especially with functions like eval() in Python. This isn’t just a coding flaw; it represents a serious lapse in secure design principles.

CVE-2025-2945 shows how dangerous it can be to trust client input without thorough validation. Using eval() on any user-provided data is an open door to attackers. These types of mistakes are common in rapid development cycles where functionality is prioritized over security. What’s shocking is that this issue made it into production-level software relied on by enterprises globally.

CVE-2025-2946, while not as dangerous as full RCE, introduces major user-side risks. JavaScript injection into browser-based management interfaces can escalate to full session hijacks or phishing attacks, especially if the interface is used by database administrators.

The residual threat from CVE-2024-3116 is even more concerning. The fact that it’s already included in Metasploit makes it easily accessible to even low-skilled attackers. The 80.26% EPSS probability shows how likely it is that unpatched systems will be hit — particularly in corporate environments where patch cycles are slow or neglected.

The strategic implications are massive:

  • Companies managing critical infrastructure on PostgreSQL may unknowingly expose sensitive data.
  • Supply chain attacks could emerge if compromised database servers spread malware or get integrated into larger attack frameworks.
  • Attacks can now easily bypass traditional network protections due to the nature of RCE and XSS exploits.

On the bright side, the open-source community has acted quickly to patch these flaws, but proactive security practices — such as code auditing, stricter sandboxing, and fuzz testing — are crucial moving forward.

For DevSecOps teams, this is a wake-up call: software like pgAdmin, although essential, must be constantly scrutinized for security. Even trusted tools can become high-risk if not rigorously maintained.

Fact Checker Results:

  • ✅ The CVEs referenced (CVE-2025-2945, CVE-2025-2946, CVE-2024-3116) are valid and publicly listed.
  • ✅ CVE-2024-3116 is weaponized in Metasploit as of August 2024.
  • ✅ The 80.26% EPSS score places the RCE among the most exploitable vulnerabilities globally.

Stay vigilant, patch often, and always validate input.

References:

Reported By: https://cyberpress.org/pgadmin-bug/
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image