Security researchers have disclosed details of CVE-2025-2945, a severe Remote Code Execution (RCE) vulnerability with a CVSS score of 9.9, indicating the highest level of severity. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This allows attackers to craft malicious requests that can execute arbitrary code on the server, potentially leading to complete system compromise. Organizations using pgAdmin four are urged to check for signs of compromise and report any security incidents to their respective cybersecurity authorities. The pgAdmin development team has released version 9.2, which removes the dangerous use of eval() functions and implements proper input validation. This flaw allows attackers to inject arbitrary HTML and JavaScript through query result rendering in both the Query Tool and View/Edit Data features. Both endpoints contain dangerous implementations that pass untrusted user input directly to Python’s eval() function without proper validation or sanitization. “While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise,” warns the CCB. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. This implementation allows attackers to send malicious Python code that will be executed on the server. The vulnerability affects all versions of pgAdmin 4 prior to 9.2, which was released on April 4, 2025. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 07 Apr 2025 08:15:09 +0000