Critical pgAdmin Flaw Allows Remote Code Execution

Summary: A critical Remote Code Execution (RCE) vulnerability identified as CVE-2025-2945 has been found in pgAdmin versions ≤9.1, allowing authenticated users to execute arbitrary commands via malicious API requests. The issue has been patched in pgAdmin version 9.2, urging users to update immediately to prevent potential server hijacking and data breaches. Attackers could exploit this flaw through improper input handling in two specific endpoints, posing significant security risks despite requiring authentication for access.

Affected: pgAdmin (versions ≤9.1)

Keypoints :

• Exploitation allows database manipulation, credential theft, and installation of persistent backdoors.
• The vulnerability arises from the improper use of Python’s eval() function in handling user inputs.
• The pgAdmin team resolved the issue in version 9.2 by removing eval() usage and improving input parsing.