A severe security vulnerability has been uncovered in pgAdmin 4, the popular open-source PostgreSQL database management tool.
Tracked as CVE-2025-13780, this critical flaw allows attackers to bypass security filters and execute arbitrary shell commands on the host server.
The issue stems from the application’s plain-text restore feature, which failed to block dangerous commands hidden in uploaded database files adequately.
The Failure of the Text Filter
According to EndorLabs, the vulnerability exists because pgAdmin 4 relied on a text-based “regular expression” (regex) filter to detect and block malicious commands.
This filter was designed to detect specific patterns used by the psql command-line utility to run system commands.
EndorLabs researchers found that the filter was too rigid. It only looked for standard formatting, such as a newline followed immediately by a command.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-13780 |
| Vulnerability Type | Remote Code Execution (RCE) |
| CVSS Base Score | 9.9 |
| Affected Component | Plain-text Restore Feature |
| Affected Versions | pgAdmin 4 (versions prior to 9.11) |
| Attack Vector | Uploaded Malicious SQL Dump |
Attackers discovered they could trick this filter by inserting unexpected whitespace characters, such as carriage returns or form feeds, between the new lines and the commands.
While the security filter ignored these “messy” lines, the underlying psql tool still recognized and executed them as valid instructions.
This misconfiguration allowed attackers to execute unauthorized scripts on the server by uploading a specially crafted SQL file.
In response to this EndorLabs discovery, the pgAdmin development team released version 9.11, which fundamentally changes how the software handles security.
Instead of scanning files for every possible dangerous pattern, the new version uses the restrict command. This feature instructs psql to disable hazardous operations during the restore process.
By enforcing security at the execution level rather than the input level, the software is no longer vulnerable to text-hiding tricks. EndorLabs strongly recommends that administrators upgrade to version 9.11 immediately.
Relying on older versions leaves systems exposed to remote code execution( RCE ) attacks that can compromise the entire host environment.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
