CVE-2025-2945 is a critical remote code execution (RCE) vulnerability identified in pgAdmin 4, a widely used open-source management tool for PostgreSQL databases. The flaw exists in two POST endpoints: /sqleditor/query_tool/download and /cloud/deploy. Specifically, the vulnerability stems from the unsafe use of Python's eval() function on user-controlled parameters—query_commited and high_availability, respectively. Eval() executes the input as Python code without proper sanitization or validation, enabling an attacker to inject and execute arbitrary Python code on the server hosting pgAdmin 4. This vulnerability affects all versions before 9.2. Exploitation requires low privileges (PR:L) but no user interaction (UI:N), and the attack can be launched remotely over the network (AV:N). The vulnerability impacts confidentiality, integrity, and availability (C:H/I:H/A:H) of the affected system, as attackers can execute arbitrary commands, potentially leading to full system compromise, data theft, or service disruption. Although no known exploits are currently reported in the wild, the critical CVSS score of 9.9 highlights the severe risk posed by this flaw. The root cause is classified under CWE-94 (Improper Control of Generation of Code), a common and dangerous coding error. The vulnerability is particularly concerning in cloud deployment scenarios and multi-tenant environments where pgAdmin 4 is used to manage PostgreSQL instances, as attackers could leverage this flaw to pivot within networks or escalate privileges. No official patches or mitigations are listed in the provided data, but upgrading to pgAdmin 4 version 9.2 or later is implied as the fix. The PostgreSQL community and administrators must prioritize addressing this vulnerability to prevent potential exploitation.

The impact of CVE-2025-2945 is severe and multifaceted. Successful exploitation allows remote attackers with low privileges to execute arbitrary code on the pgAdmin 4 server, potentially gaining full control over the host system. This can lead to unauthorized data access, modification, or deletion, compromising confidentiality and integrity. Additionally, attackers could disrupt database management operations or the underlying server, affecting availability. In cloud or multi-tenant environments, the vulnerability could facilitate lateral movement or privilege escalation, increasing the attack surface. Organizations relying on pgAdmin 4 for critical database administration, especially those managing sensitive or regulated data, face risks of data breaches, operational downtime, and reputational damage. The ease of exploitation and lack of required user interaction exacerbate the threat, making automated attacks feasible. Although no exploits are currently known in the wild, the vulnerability's critical nature demands immediate attention to prevent potential widespread attacks.

To mitigate CVE-2025-2945, organizations should immediately upgrade pgAdmin 4 to version 9.2 or later, where the vulnerability is addressed. Until the upgrade is applied, restrict network access to the vulnerable endpoints (/sqleditor/query_tool/download and /cloud/deploy) using firewalls, web application firewalls (WAFs), or network segmentation to limit exposure. Implement strict access controls and authentication mechanisms to reduce the risk of unauthorized access. Monitor logs for suspicious POST requests targeting these endpoints, especially those containing unusual payloads in the query_commited or high_availability parameters. Employ runtime application self-protection (RASP) or intrusion detection systems (IDS) to detect and block attempts to exploit eval() injection. Review and sanitize all user inputs rigorously in custom deployments or extensions of pgAdmin 4 to prevent similar code injection flaws. Educate administrators about the risks of unsafe eval() usage and encourage secure coding practices. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.