pgadmin4 4.25 vulnerabilities

Known vulnerabilities in the pgadmin4 package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
C Remote Code Execution (RCE) pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Remote Code Execution (RCE) in the Cloud Deployment with Google Provider module, which is accessible via the `high_availability` parameter to the `/deploy` endpoint and in the Query Tool interface, which is accessible via the `query_commited` parameter to the `/download` endpoint. An attacker can execute arbitrary commands with the privileges of the application user. How to fix Remote Code Execution (RCE)? Upgrade `pgadmin4` to version 9.2 or higher.	[,9.2)
M Cross-site Scripting (XSS) pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `measureText()` function, accessible via the Query Tool interface. An attacker can inject malicious scripts into the displayed output. How to fix Cross-site Scripting (XSS)? Upgrade `pgadmin4` to version 9.2 or higher.	[,9.2)
M Race Condition pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Race Condition during the LDAP authentication process. An attacker can hijack another user's session by initiating multiple simultaneous login attempts. How to fix Race Condition? Upgrade `pgadmin4` to version 7.0 or higher.	[,7.0)
H Information Exposure pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Information Exposure due to improper handling of OAuth2 authentication credentials. How to fix Information Exposure? Upgrade `pgadmin4` to version 8.12 or higher.	[,8.12)
M Cross-site Scripting (XSS) pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/settings/store` API response json payload. An attacker can execute malicious script at the client end by injecting script content into the json response. How to fix Cross-site Scripting (XSS)? Upgrade `pgadmin4` to version 8.6 or higher.	[,8.6)
M Authentication Bypass pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Authentication Bypass due to a flaw in the multi-factor authentication process. An attacker with knowledge of a legitimate account's username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account's MFA enrollment status. How to fix Authentication Bypass? Upgrade `pgadmin4` to version 8.6 or higher.	[,8.6)
H Improper Control of Generation of Code ('Code Injection') pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the validate binary path API. An attacker can execute arbitrary code on the server hosting the application, posing a severe risk to the integrity of the database management system and the security of the underlying data. How to fix Improper Control of Generation of Code ('Code Injection')? Upgrade `pgadmin4` to version 8.5 or higher.	[,8.5)
M Deserialization of Untrusted Data pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the use of a file-based session management approach where session files are saved on disk as pickle objects. An attacker can execute arbitrary code on the system by manipulating the session ID to escape the intended session folder path and point to a maliciously crafted file. How to fix Deserialization of Untrusted Data? Upgrade `pgadmin4` to version 8.4 or higher.	[,8.4)
M Command Injection pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Command Injection when the HTTP API validates the path a user selects to external PostgreSQL utilities such as `pg_dump` and `pg_restore`. A user can run arbitrary commands on the server by passing commands as filenames. NOTE: This issue does not affect pgAdmin's desktop mode. How to fix Command Injection? Upgrade `pgadmin4` to version 7.7 or higher.	[,7.7)
M Directory Traversal pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Directory Traversal due to improper input sanitization, which allows pgAdmin users who are authenticated to access each other's directories and files by providing relative paths. How to fix Directory Traversal? Upgrade `pgadmin4` to version 6.19 or higher.	[,6.19)
M Open Redirect pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Open Redirect. Allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user access a specially crafted URL. How to fix Open Redirect? Upgrade `pgadmin4` to version 6.14 or higher.	[,6.14)
H Arbitrary Code Injection pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Arbitrary Code Injection by allowing an unauthenticated user to call an `HTTP API` with a path of their choosing, such as a `UNC` path to a server they control on a Windows machine. This would cause an appropriately named executable in the target path to be executed by the `pgAdmin` server. Note: This issue does not affect users running `pgAdmin` in desktop mode. How to fix Arbitrary Code Injection? Upgrade `pgadmin4` to version 6.17 or higher.	[,6.17)
L Directory Traversal pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Directory Traversal. A malicious user can construct an `HTTP` request using their existing `CSRF` token and session cookie to manually upload files to any location that the operating system user account has permission to write. That is because the URI to which upload requests are made fails to validate the upload path. How to fix Directory Traversal? Upgrade `pgadmin4` to version 6.7 or higher.	[,6.7)

Vulnerability

Vulnerable Version

Remote Code Execution (RCE)

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Remote Code Execution (RCE) in the Cloud Deployment with Google Provider module, which is accessible via the high_availability parameter to the /deploy endpoint and in the Query Tool interface, which is accessible via the query_commited parameter to the /download endpoint. An attacker can execute arbitrary commands with the privileges of the application user.

How to fix Remote Code Execution (RCE)?

Upgrade pgadmin4 to version 9.2 or higher.

[,9.2)

Cross-site Scripting (XSS)

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the measureText() function, accessible via the Query Tool interface. An attacker can inject malicious scripts into the displayed output.

How to fix Cross-site Scripting (XSS)?

Upgrade pgadmin4 to version 9.2 or higher.

[,9.2)

Race Condition

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Race Condition during the LDAP authentication process. An attacker can hijack another user's session by initiating multiple simultaneous login attempts.

How to fix Race Condition?

Upgrade pgadmin4 to version 7.0 or higher.

[,7.0)

Information Exposure

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Information Exposure due to improper handling of OAuth2 authentication credentials.

How to fix Information Exposure?

Upgrade pgadmin4 to version 8.12 or higher.

[,8.12)

Cross-site Scripting (XSS)

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the /settings/store API response json payload. An attacker can execute malicious script at the client end by injecting script content into the json response.

How to fix Cross-site Scripting (XSS)?

Upgrade pgadmin4 to version 8.6 or higher.

[,8.6)

Authentication Bypass

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Authentication Bypass due to a flaw in the multi-factor authentication process. An attacker with knowledge of a legitimate account's username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account's MFA enrollment status.

How to fix Authentication Bypass?

Upgrade pgadmin4 to version 8.6 or higher.

[,8.6)

Improper Control of Generation of Code ('Code Injection')

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the validate binary path API. An attacker can execute arbitrary code on the server hosting the application, posing a severe risk to the integrity of the database management system and the security of the underlying data.

How to fix Improper Control of Generation of Code ('Code Injection')?

Upgrade pgadmin4 to version 8.5 or higher.

[,8.5)

Deserialization of Untrusted Data

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the use of a file-based session management approach where session files are saved on disk as pickle objects. An attacker can execute arbitrary code on the system by manipulating the session ID to escape the intended session folder path and point to a maliciously crafted file.

How to fix Deserialization of Untrusted Data?

Upgrade pgadmin4 to version 8.4 or higher.

[,8.4)

Command Injection

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Command Injection when the HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. A user can run arbitrary commands on the server by passing commands as filenames.

NOTE: This issue does not affect pgAdmin's desktop mode.

How to fix Command Injection?

Upgrade pgadmin4 to version 7.7 or higher.

[,7.7)

Directory Traversal

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Directory Traversal due to improper input sanitization, which allows pgAdmin users who are authenticated to access each other's directories and files by providing relative paths.

How to fix Directory Traversal?

Upgrade pgadmin4 to version 6.19 or higher.

[,6.19)

Open Redirect

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Open Redirect. Allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user access a specially crafted URL.

How to fix Open Redirect?

Upgrade pgadmin4 to version 6.14 or higher.

[,6.14)

Arbitrary Code Injection

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Arbitrary Code Injection by allowing an unauthenticated user to call an HTTP API with a path of their choosing, such as a UNC path to a server they control on a Windows machine. This would cause an appropriately named executable in the target path to be executed by the pgAdmin server.

Note:

This issue does not affect users running pgAdmin in desktop mode.

How to fix Arbitrary Code Injection?

Upgrade pgadmin4 to version 6.17 or higher.

[,6.17)

Directory Traversal

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Directory Traversal. A malicious user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account has permission to write. That is because the URI to which upload requests are made fails to validate the upload path.

How to fix Directory Traversal?

Upgrade pgadmin4 to version 6.7 or higher.

[,6.7)

pgadmin4@4.25 vulnerabilities

PostgreSQL Tools

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?