A severe remote code execution (RCE) flaw has been uncovered in pgAdmin4, the popular open-source interface for PostgreSQL databases.
Dubbed CVE-2025-12762, the vulnerability affects versions up to 9.9 and could allow attackers to run arbitrary commands on the hosting server, potentially compromising entire database infrastructures.
The issue stems from improper handling of code injection during server-mode restores from PLAIN-format dump files. When pgAdmin processes these files commonly used for backing up and migrating PostgreSQL data it fails to sanitize inputs adequately.
An attacker with low privileges, such as an authenticated user, could craft a malicious dump file to inject commands, exploiting the tool’s execution of system-level operations.
This CWE-94 weakness, rooted in code generation from untrusted sources, requires only network access and no user interaction, making it dangerously straightforward to exploit.
The National Vulnerability Database (NVD) rates the flaw as critical, with a CVSS v3.1 score of 9.3 out of 10. Key metrics highlight its network-based attack vector, low complexity, and changed scope, leading to high confidentiality impacts alongside moderate integrity and availability risks.
The advisory aligns with a GitHub issue (#9320) reported by the pgAdmin team, which traces the root cause to unsafe command construction in the restore process.
pgAdmin developers swiftly addressed the problem in commit 1d39739, released in version 10.0. Users running affected setups in server mode, common in enterprise environments, face immediate threats, especially if handling untrusted dumps from external sources.
The flaw underscores broader concerns in database tools, where restore functions often bypass strict validation.
Organizations should prioritize upgrading to pgAdmin 10.0 or later, disable PLAIN-format restores if possible, and audit access controls. As PostgreSQL powers countless applications, this RCE serves as a wake-up call for rigorous input sanitization in DevOps pipelines.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
