Critical severityNVD Advisory· Published Apr 3, 2025· Updated Feb 26, 2026
pgAdmin 4: Remote Code Execution in Query Tool and Cloud Deployment
CVE-2025-2945
Description
Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules).
The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary code execution.
This issue affects pgAdmin 4: before 9.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pgadmin4PyPI | < 9.2 | 9.2 |
Affected products
1- Range: 0
Patches
175be0bc22d3dFixed a remote code execution issue in the Query Tool and Cloud Deployment (CVE-2025-2945). #8603
3 files changed · +9 −3
docs/en_US/release_notes_9_2.rst+1 −0 modified@@ -50,3 +50,4 @@ Bug fixes | `Issue #8577 <https://github.com/pgadmin-org/pgadmin4/issues/8577>`_ - Fixed an issue where the upgrade_check API returned an unexpected keyword argument 'cafile' due to changes in the urllib package supporting Python v3.13. | `Issue #8597 <https://github.com/pgadmin-org/pgadmin4/issues/8597>`_ - Fixed an issue where delete/rename was done on wrong file after sorting in Storage Manager. | `Issue #8602 <https://github.com/pgadmin-org/pgadmin4/issues/8602>`_ - Fixed an XSS vulnerability issue in the Query Tool and View/Edit Data (CVE-2025-2946). + | `Issue #8603 <https://github.com/pgadmin-org/pgadmin4/issues/8603>`_ - Fixed a remote code execution issue in the Query Tool and Cloud Deployment (CVE-2025-2945). \ No newline at end of file
web/pgacloud/providers/google.py+6 −2 modified@@ -136,8 +136,12 @@ def _create_google_postgresql_instance(self, args): credentials = self._get_credentials(self._scopes) service = discovery.build('sqladmin', 'v1beta4', credentials=credentials) - high_availability = \ - 'REGIONAL' if eval(args.high_availability) else 'ZONAL' + + _high_availability = args.high_availability.lower() in ( + 'true', '1') if isinstance(args.high_availability, str + ) else args.high_availability + + high_availability = 'REGIONAL' if _high_availability else 'ZONAL' db_password = self._database_password \ if self._database_password is not None else args.db_password
web/pgadmin/tools/sqleditor/__init__.py+2 −1 modified@@ -2156,7 +2156,8 @@ def start_query_download_tool(trans_id): sql = value if key == 'query_commited': query_commited = ( - eval(value) if isinstance(value, str) else value + value.lower() in ('true', '1') if isinstance( + value, str) else value ) if not sql: sql = trans_obj.get_sql(sync_conn)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-g73c-fw68-pwx3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-2945ghsaADVISORY
- github.com/pgadmin-org/pgadmin4/commit/75be0bc22d3d8d7620711835db817bd7c021007cghsaWEB
- github.com/pgadmin-org/pgadmin4/issues/8603ghsaissue-trackingWEB
News mentions
0No linked articles in our index yet.