CVE-2025-12764: 
Python vulnerability analysis and mitigation

pgAdmin versions up to 9.9 are affected by an LDAP injection vulnerability (CVE-2025-12764) discovered in the LDAP authentication flow. The vulnerability was disclosed on November 13, 2025, and affects the authentication mechanism of pgAdmin, the popular open-source administration and development platform for PostgreSQL databases (Miggo Database).

The vulnerability exists in the pgadmin.authenticate.ldap.LDAP.search_ldap_user function, where user-provided usernames are incorporated into an LDAP search filter without proper sanitization. The issue has been assigned a CVSS score of 7.5 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-90 and primarily affects the Python-based components of pgAdmin (Miggo Database).

When exploited, the vulnerability allows attackers to inject special LDAP characters in the username field, causing both the domain controller (DC) and LDAP server, as well as the client, to process an unusual amount of data. This results in a Denial-of-Service (DoS) condition that can affect the availability of the authentication system (Security Online).

The vulnerability has been patched in pgAdmin version 9.10, which introduces the escape_filter_chars function to neutralize special characters in the username before it's used in the filter. Organizations are strongly advised to upgrade to this latest secure release to protect against LDAP injection attacks (Miggo Database).