Listen to this Post
How CVE-2025-2946 Works
pgAdmin <= 9.1 fails to properly sanitize user-supplied input in query result rendering. Attackers craft malicious SQL queries containing JavaScript payloads. When results are displayed in the web interface, the payload executes in the victim’s browser. This stored XSS vulnerability allows session hijacking, credential theft, or admin impersonation due to pgAdmin’s high-privilege nature. The attack triggers when a victim views manipulated query output without HTML escaping.
DailyCVE Form:
Platform: pgAdmin
Version: <= 9.1
Vulnerability: Stored XSS
Severity: Medium
Date: 04/23/2025
What Undercode Say:
Analytics:
- Attack Vector: Network
- Complexity: Low
- User Interaction: Required
- Exploitability: High
Exploit Command:
SELECT '<script>alert(document.cookie)</script>' AS "malicious_column";
Proof of Concept (PoC):
fetch('/sqleditor/execute', {
method: 'POST',
body: JSON.stringify({
"query": "SELECT '<img src=x onerror=alert(<code>XSS</code>)'>"
})
});
Mitigation Steps:
1. Upgrade to pgAdmin 9.2+
2. Apply input sanitization:
from flask import escape def sanitize_output(data): return escape(data)
3. CSP Header Implementation:
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'";
Detection Query:
SELECT FROM pg_settings WHERE name LIKE '%xss%';
Log Analysis:
grep -r "onerror|script|eval" /var/log/pgadmin/
Patch Diff:
- return jsonify(query_result) + return jsonify(sanitize_output(query_result))
WAF Rule:
<rule id="1001" level="2"> <pattern>script|onerror|javascript:</pattern> </rule>
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
