Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN795 _____________________________________________________________________ DATE : 14/11/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running pgadmin4 versions prior to 9.10. ===================================================================== https://github.com/advisories/GHSA-w2p4-p4rh-qcm3 https://www.pgadmin.org/ _____________________________________________________________________ pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode Critical severity GitHub Reviewed Published Nov 13, 2025 to the GitHub Advisory Database • Updated Nov 13, 2025 Vulnerability details Package pgadmin4 (pip) Affected versions < 9.10 Patched versions 9.10 Description pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data. References https://nvd.nist.gov/vuln/detail/CVE-2025-12762 pgadmin-org/pgadmin4#9320 pgadmin-org/pgadmin4@1d39739 Severity Critica 9.3/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity Low Availability Low CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L EPSS score Weaknesses Weakness CWE-94 CVE ID CVE-2025-12762 GHSA ID GHSA-w2p4-p4rh-qcm3 Source code pgadmin-org/pgadmin4 Credits @jonbally jonbally Analyst _____________________________________________________________________ News 2025-11-13 - pgAdmin 4 v9.10 Released The pgAdmin Development Team is pleased to announce pgAdmin 4 version 9.10. This release of pgAdmin 4 includes 5 new features and 12 bug fixes/housekeeping changes. For more details, please see the release notes. Notable changes in this release include: Features: Added the ability to search for tables and automatically bring them into view in the ERD tool. Add support of DEPENDS/NO DEPENDS ON EXTENSION for PROCEDURE. Add support for setting image download resolution in the ERD tool. Add support for displaying detailed Citus query plans instead of 'Custom Scan' placeholder. Add support for formatting .pgerd ERD project file. Bugs/Housekeeping: Fixed an issue where data output column resize is not sticking in Safari. Fixed an issue where Schema Diff does not ignore Tablespace for indexes. Fixed an issue where the 2FA window redirected to the login page after session expiration. Fixed an issue where the Select All option on the columns tab of import/export data was not working in languages other than English. Fixed an issue where the Debian build process failed with a "Sphinx module not found" error when using a Python virtual environment. Fixed an issue where the last used storage directory was reset to blank, leading to access denied errors during backup or restore operations. Fixed an issue that prevented assigning multiple users to an RLS policy. Fixed remote code execution vulnerability when restoring PLAIN-format SQL dumps in server mode (CVE-2025-12762). Fixed Command injection vulnerability allowing arbitrary command execution on Windows (CVE-2025-12763). Fixed LDAP authentication flow vulnerable to TLS certificate verification bypass (CVE-2025-12765). Fixed LDAP injection vulnerability in LDAP authentication flow (CVE-2025-12764). Migrate pgAdmin UI to use React 19. Download your copy now! ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================