6.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-12763

CVE-2025-12763: pgAdmin 4 has command injection vulnerability on Windows systems

pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-12763

CVE-2025-12763:

6.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pgadmin4	pip	<= 9.9	9.10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in pgAdmin 4 on Windows systems due to command injection in the backup and restore functionalities. The root cause is the use of shell=True in the subprocess.Popen call within the execute function of the process_executor.py module. This is a generic background process executor used by various parts of pgAdmin, including backup and restore. When a user initiates a backup or restore operation with a specially crafted file path containing shell metacharacters, these characters are interpreted by the Windows shell, leading to arbitrary command execution. The provided patch directly addresses this by setting shell=False for all operating systems, thereby neutralizing the command injection vector. The change in web/pgadmin/tools/restore/__init__.py is related to how file paths are handled before being passed to the execution process, but the core vulnerability lies in the execute function itself, which is the final point of execution for the injected command.

Vulnerable functions

pgadmin.misc.bgprocess.process_executor.execute

web/pgadmin/misc/bgprocess/process_executor.py

The function `execute` in `process_executor.py` was using `shell=True` when creating a subprocess on Windows systems. This allows an attacker to inject arbitrary commands by crafting a malicious file path during backup or restore operations. The patch remediates this by setting `shell=False`, thus preventing the shell from interpreting the input as commands.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-12763: pgAdmin 4 has command injection vulnerability on Windows systems

CVE-2025-12763:

6.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

6.8

6.8

CVE-2025-12763: pgAdmin 4 has command injection vulnerability on Windows systems

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI