Miggo Logo
Miggo Vulnerability Database
CVE-2025-2946

CVE-2025-2946:
pgAdmin 4 Vulnerable to Cross-Site Scripting (XSS) via Query Result Rendering

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-2946
GHSA ID
GHSA-2rrx-pphc-qfv9
EPSS Score
0.10085%
CWE
CWE-79
Published
4/3/2025
Updated
4/4/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pgadmin4pip< 9.29.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a DOM-based XSS in the query result rendering functionality. The patch shows a critical change in the measureText function in utils.js where the code was modified from using innerHTML (which is XSS-prone) to textContent (which is safe). This function appears to be part of the text measurement system used when rendering query results. The change directly addresses the XSS vulnerability by preventing HTML/JavaScript injection through the text parameter. The function would appear in a runtime profiler when malicious query results are being processed for display, making it a key indicator for detection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

p***min <= *.* is *****t** *y * s**urity vuln*r**ility wit* *ross-Sit* S*riptin*(XSS). I* *tt**k*rs *x**ut* *ny *r*itr*ry *TML/J*v*S*ript in * us*r's *rows*r t*rou** qu*ry r*sult r*n**rin*, t**n *TML/J*v*S*ript runs on t** *rows*r.

Reasoning

T** vuln*r**ility is * *OM-**s** XSS in t** qu*ry r*sult r*n**rin* *un*tion*lity. T** p*t** s*ows * *riti**l ***n** in t** `m**sur*T*xt` *un*tion in `utils.js` w**r* t** *o** w*s mo*i*i** *rom usin* `inn*r*TML` (w*i** is XSS-pron*) to `t*xt*ont*nt` (