Critical pgAdmin Flaw Allows Remote Code Execution

A severe Remote Code Execution (RCE) vulnerability in pgAdmin (CVE-2025-2945), the popular PostgreSQL database management tool, has been patched after researchers discovered attackers could hijack servers through malicious API requests.

The flaw affects pgAdmin versions ≤9.1 and allows authenticated users to execute arbitrary commands on affected systems.

Technical Breakdown

The vulnerability stems from improper use of Python’s eval() function in two endpoints:

- Advertisement -

1. /sqleditor/query_tool/download/

query_commited = eval(value) if isinstance(value, str) else value  # Vuln code

Attackers could send crafted POST requests containing Python code (e.g., open(‘/tmp/pyozzi-poc’, ‘w’)) to write files or execute commands.

1. /cloud/deploy

high_availability = 'REGIONAL' if eval(args.high_availability) else 'ZONAL'  # Vuln code

Malicious inputs like reverse shell payloads could grant full server access:

exec('import socket,subprocess,os;s=socket.socket(...)')

Both endpoints processed user input without sanitization, enabling attackers to abuse the eval() function’s ability to execute code ...