CVE-2025-12765: 
Python vulnerability analysis and mitigation

A vulnerability (CVE-2025-12765) has been identified in pgAdmin versions 9.9 and earlier, affecting the LDAP authentication mechanism. The vulnerability allows bypassing TLS certificate verification, which was discovered and reported by Arad Inbar. The issue was published on November 13, 2025, and affects the LDAP authentication flow in pgAdmin 4 (NVD, GitHub Issue).

The vulnerability stems from a flaw in the LDAP TLS client implementation where it proceeds without validating the server certificate unless all three components - CA, client certificate, and client key - are configured. In Active Directory configurations where MTLS is typically disabled, this results in no validation of the certificate. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, and is classified under CWE-295 (Improper Certificate Validation) (NVD).

The vulnerability enables on-path attackers to perform man-in-the-middle (MITM) attacks by terminating TLS with a fraudulent certificate and proxying traffic. This can lead to the theft of LDAP bind credentials and the ability to alter directory responses. The attack vectors include ARP spoofing within the same VLAN, DHCP spoofing/rogue gateway attacks, and Wi-Fi evil twin access points (GitHub Issue).