Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: RCE & XSS in pgAdmin4, Patch Immediately!
Image
Published : 04/04/2025
* Last update: 04/04/2025
* Affected software: PgAdmin 4
* Type: Remote Code Execution (RCE), Cross-site Scripting (XSS)
* CVE/CVSS
→ CVE-2025-2945: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2025-2946: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H)
Sources
pgadmin-org - https://github.com/pgadmin-org/pgadmin4/issues/8602
pgadmin-org - https://github.com/pgadmin-org/pgadmin4/issues/8603
Risks
Two newly discovered vulnerabilities in pgAdmin 4 allows attackers to execute unauthorized code, potentially exposing sensitive company data and disrupting operations.
pgAdmin is the leading Open Source management tool for Postgres, the world's most advanced Open Source database.
If exploited this could lead to data breaches, system compromise, and operational downtime impacting confidentiality, integrity, and availability of critical businesses.
Description
Two critical security vulnerabilities were recently discovered in pgAdmin 4:
CVE-2025-2945: Remote Code Execution (RCE) vulnerability affects versions before 9.2.
Two POST endpoints (/sqleditor/query_tool/download with query_commited and /cloud/deploy with high_availability) unsafely pass user input to Python’s eval(), enabling arbitrary code execution.
CVE-2025-2946: Cross-Site Scripting (XSS) vulnerability affects versions before 9.2. Attackers can inject arbitrary HTML/JavaScript through query result rendering, leading to code execution in the user's browser.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
PostgreSQL - https://www.postgresql.org/about/news/pgadmin-4-v92-released-3050/?utm_source=feedly