CVE-2025-2945: 
Python vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2025-2945) was discovered in pgAdmin 4 versions prior to 9.2, specifically affecting versions 8.10 through 9.1. The vulnerability exists in both the Query Tool and Cloud Deployment modules, where two POST endpoints (/sqleditor/query_tool/download and /cloud/deploy) unsafely pass parameters to the Python eval() function, potentially allowing arbitrary code execution (AttackerKB, NVD).

The vulnerability specifically involves two POST endpoints: the /sqleditor/querytool/download endpoint where the querycommited parameter, and the /cloud/deploy endpoint where the highavailability parameter are unsafely passed to the Python eval() function. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. To exploit the vulnerability, an attacker needs both pgAdmin authentication credentials and valid database credentials to establish a querytool session (AttackerKB, NVD).

If successfully exploited, the vulnerability allows authenticated attackers to execute arbitrary code on the system running pgAdmin with the privileges of the pgAdmin user. A Shodan query revealed approximately 5,700 potentially vulnerable internet-facing pgAdmin instances, indicating significant exposure (AttackerKB).

The vulnerability has been patched in pgAdmin 4 version 9.2. Organizations running affected versions (8.10 through 9.1) should upgrade to version 9.2 or later immediately. Versions prior to 8.10 are reportedly unaffected by this vulnerability (OSS-Security).