CVE-2025-60797

Root

Cause CVE-2025-60797 is a SQL injection vulnerability in phpPgAdmin, a web-based PostgreSQL administration tool, affecting version 7.13.0 and earlier. The flaw exists in the dataexport.php script at line 118, where the application directly passes user-supplied input from the $_REQUEST['query'] parameter into the $data->conn->Execute() method without any sanitization or parameterization [1][2]. This means an attacker can control the SQL query that gets executed by the underlying PostgreSQL database.

Exploitation

An attacker must first be authenticated to the phpPgAdmin instance. Once authenticated, they can craft a malicious HTTP request to dataexport.php containing arbitrary SQL in the query parameter. No additional privilege is required beyond a valid session; the vulnerable endpoint does not perform any filtering or validation of the query string [2][3]. The attack surface is accessible over the network to any authenticated user.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands against the PostgreSQL server. This can lead to complete compromise of the database, including data theft, modification, deletion, and potential privilege escalation within the database system [1][4]. Because phpPgAdmin typically runs with a privileged database connection, the attacker may also gain the ability to execute administrative operations.

Mitigation

As of the publication date (2025-11-20), no patched version has been released. The vendor repository (phpPgAdmin) appears to be in maintenance mode with its last official release from 2019 [4]. Users should consider restricting access to the vulnerable dataexport.php endpoint via web server configuration, apply strict input validation, or migrate to an alternative administration tool until a fix is available.