pgadmin4 4.24 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the pgadmin4 package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Arbitrary Code Injection pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Arbitrary Code Injection via the `has_meta_commands()` function. An attacker can execute arbitrary commands on the system by crafting a SQL file that begins with a UTF-8 Byte Order Mark or special byte sequences, which bypass the implemented filter and allow undetected meta-commands to be processed during a restore operation. How to fix Arbitrary Code Injection? Upgrade `pgadmin4` to version 9.11 or higher.	[,9.11)
C Arbitrary Command Injection pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Arbitrary Command Injection via the `backup` and `restore` processes when handling file path input with shell execution enabled. An attacker can execute arbitrary system commands by supplying specially crafted file paths. How to fix Arbitrary Command Injection? Upgrade `pgadmin4` to version 9.10 or higher.	[,9.10)
C Arbitrary Code Injection pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Arbitrary Code Injection through the `PLAIN SQL` file, which includes any meta-commands. An attacker can execute arbitrary commands on the server by supplying a crafted PLAIN-format SQL dump file during restoration in server mode. How to fix Arbitrary Code Injection? Upgrade `pgadmin4` to version 9.10 or higher.	[,9.10)
H Improper Certificate Validation pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Improper Certificate Validation via the TLS certificate verification bypass. An attacker can gain unauthorized access by exploiting improper TLS certificate verification during authentication. How to fix Improper Certificate Validation? Upgrade `pgadmin4` to version 9.10 or higher.	[,9.10)
H Denial of Service (DoS) pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Denial of Service (DoS) via the username from the login form which inserted into the LDAP search filter without escaping. An attacker can cause the server and client to process excessive data by injecting special LDAP characters in the username, leading to resource exhaustion. How to fix Denial of Service (DoS)? Upgrade `pgadmin4` to version 9.10 or higher.	[,9.10)
M Origin Validation Error pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Origin Validation Error via improper enforcement of cross-origin opener policy in the OAuth authentication process. An attacker can gain unauthorized access to user accounts, escalate privileges, or exfiltrate sensitive data by manipulating the OAuth flow. How to fix Origin Validation Error? Upgrade `pgadmin4` to version 9.8 or higher.	[,9.8)
C Remote Code Execution (RCE) pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Remote Code Execution (RCE) in the Cloud Deployment with Google Provider module, which is accessible via the `high_availability` parameter to the `/deploy` endpoint and in the Query Tool interface, which is accessible via the `query_commited` parameter to the `/download` endpoint. An attacker can execute arbitrary commands with the privileges of the application user. How to fix Remote Code Execution (RCE)? Upgrade `pgadmin4` to version 9.2 or higher.	[,9.2)
M Cross-site Scripting (XSS) pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `measureText()` function, accessible via the Query Tool interface. An attacker can inject malicious scripts into the displayed output. How to fix Cross-site Scripting (XSS)? Upgrade `pgadmin4` to version 9.2 or higher.	[,9.2)
M Race Condition pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Race Condition during the LDAP authentication process. An attacker can hijack another user's session by initiating multiple simultaneous login attempts. How to fix Race Condition? Upgrade `pgadmin4` to version 7.0 or higher.	[,7.0)
H Information Exposure pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Information Exposure due to improper handling of OAuth2 authentication credentials. How to fix Information Exposure? Upgrade `pgadmin4` to version 8.12 or higher.	[,8.12)
M Cross-site Scripting (XSS) pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/settings/store` API response json payload. An attacker can execute malicious script at the client end by injecting script content into the json response. How to fix Cross-site Scripting (XSS)? Upgrade `pgadmin4` to version 8.6 or higher.	[,8.6)
M Authentication Bypass pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Authentication Bypass due to a flaw in the multi-factor authentication process. An attacker with knowledge of a legitimate account's username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account's MFA enrollment status. How to fix Authentication Bypass? Upgrade `pgadmin4` to version 8.6 or higher.	[,8.6)
H Improper Control of Generation of Code ('Code Injection') pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the validate binary path API. An attacker can execute arbitrary code on the server hosting the application, posing a severe risk to the integrity of the database management system and the security of the underlying data. How to fix Improper Control of Generation of Code ('Code Injection')? Upgrade `pgadmin4` to version 8.5 or higher.	[,8.5)
M Deserialization of Untrusted Data pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the use of a file-based session management approach where session files are saved on disk as pickle objects. An attacker can execute arbitrary code on the system by manipulating the session ID to escape the intended session folder path and point to a maliciously crafted file. How to fix Deserialization of Untrusted Data? Upgrade `pgadmin4` to version 8.4 or higher.	[,8.4)
M Command Injection pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Command Injection when the HTTP API validates the path a user selects to external PostgreSQL utilities such as `pg_dump` and `pg_restore`. A user can run arbitrary commands on the server by passing commands as filenames. NOTE: This issue does not affect pgAdmin's desktop mode. How to fix Command Injection? Upgrade `pgadmin4` to version 7.7 or higher.	[,7.7)
M Directory Traversal pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Directory Traversal due to improper input sanitization, which allows pgAdmin users who are authenticated to access each other's directories and files by providing relative paths. How to fix Directory Traversal? Upgrade `pgadmin4` to version 6.19 or higher.	[,6.19)
M Open Redirect pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Open Redirect. Allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user access a specially crafted URL. How to fix Open Redirect? Upgrade `pgadmin4` to version 6.14 or higher.	[,6.14)
H Arbitrary Code Injection pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Arbitrary Code Injection by allowing an unauthenticated user to call an `HTTP API` with a path of their choosing, such as a `UNC` path to a server they control on a Windows machine. This would cause an appropriately named executable in the target path to be executed by the `pgAdmin` server. Note: This issue does not affect users running `pgAdmin` in desktop mode. How to fix Arbitrary Code Injection? Upgrade `pgadmin4` to version 6.17 or higher.	[,6.17)
L Directory Traversal pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Directory Traversal. A malicious user can construct an `HTTP` request using their existing `CSRF` token and session cookie to manually upload files to any location that the operating system user account has permission to write. That is because the URI to which upload requests are made fails to validate the upload path. How to fix Directory Traversal? Upgrade `pgadmin4` to version 6.7 or higher.	[,6.7)

Vulnerability

Vulnerable Version

Arbitrary Code Injection

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Arbitrary Code Injection via the has_meta_commands() function. An attacker can execute arbitrary commands on the system by crafting a SQL file that begins with a UTF-8 Byte Order Mark or special byte sequences, which bypass the implemented filter and allow undetected meta-commands to be processed during a restore operation.

How to fix Arbitrary Code Injection?

Upgrade pgadmin4 to version 9.11 or higher.

[,9.11)

Arbitrary Command Injection

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Arbitrary Command Injection via the backup and restore processes when handling file path input with shell execution enabled. An attacker can execute arbitrary system commands by supplying specially crafted file paths.

How to fix Arbitrary Command Injection?

Upgrade pgadmin4 to version 9.10 or higher.

[,9.10)

Arbitrary Code Injection

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Arbitrary Code Injection through the PLAIN SQL file, which includes any meta-commands. An attacker can execute arbitrary commands on the server by supplying a crafted PLAIN-format SQL dump file during restoration in server mode.

How to fix Arbitrary Code Injection?

Upgrade pgadmin4 to version 9.10 or higher.

[,9.10)

Improper Certificate Validation

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Improper Certificate Validation via the TLS certificate verification bypass. An attacker can gain unauthorized access by exploiting improper TLS certificate verification during authentication.

How to fix Improper Certificate Validation?

Upgrade pgadmin4 to version 9.10 or higher.

[,9.10)

Denial of Service (DoS)

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Denial of Service (DoS) via the username from the login form which inserted into the LDAP search filter without escaping. An attacker can cause the server and client to process excessive data by injecting special LDAP characters in the username, leading to resource exhaustion.

How to fix Denial of Service (DoS)?

Upgrade pgadmin4 to version 9.10 or higher.

[,9.10)

Origin Validation Error

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Origin Validation Error via improper enforcement of cross-origin opener policy in the OAuth authentication process. An attacker can gain unauthorized access to user accounts, escalate privileges, or exfiltrate sensitive data by manipulating the OAuth flow.

How to fix Origin Validation Error?

Upgrade pgadmin4 to version 9.8 or higher.

[,9.8)

Remote Code Execution (RCE)

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Remote Code Execution (RCE) in the Cloud Deployment with Google Provider module, which is accessible via the high_availability parameter to the /deploy endpoint and in the Query Tool interface, which is accessible via the query_commited parameter to the /download endpoint. An attacker can execute arbitrary commands with the privileges of the application user.

How to fix Remote Code Execution (RCE)?

Upgrade pgadmin4 to version 9.2 or higher.

[,9.2)

Cross-site Scripting (XSS)

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the measureText() function, accessible via the Query Tool interface. An attacker can inject malicious scripts into the displayed output.

How to fix Cross-site Scripting (XSS)?

Upgrade pgadmin4 to version 9.2 or higher.

[,9.2)

Race Condition

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Race Condition during the LDAP authentication process. An attacker can hijack another user's session by initiating multiple simultaneous login attempts.

How to fix Race Condition?

Upgrade pgadmin4 to version 7.0 or higher.

[,7.0)

Information Exposure

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Information Exposure due to improper handling of OAuth2 authentication credentials.

How to fix Information Exposure?

Upgrade pgadmin4 to version 8.12 or higher.

[,8.12)

Cross-site Scripting (XSS)

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the /settings/store API response json payload. An attacker can execute malicious script at the client end by injecting script content into the json response.

How to fix Cross-site Scripting (XSS)?

Upgrade pgadmin4 to version 8.6 or higher.

[,8.6)

Authentication Bypass

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Authentication Bypass due to a flaw in the multi-factor authentication process. An attacker with knowledge of a legitimate account's username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account's MFA enrollment status.

How to fix Authentication Bypass?

Upgrade pgadmin4 to version 8.6 or higher.

[,8.6)

Improper Control of Generation of Code ('Code Injection')

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the validate binary path API. An attacker can execute arbitrary code on the server hosting the application, posing a severe risk to the integrity of the database management system and the security of the underlying data.

How to fix Improper Control of Generation of Code ('Code Injection')?

Upgrade pgadmin4 to version 8.5 or higher.

[,8.5)

Deserialization of Untrusted Data

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the use of a file-based session management approach where session files are saved on disk as pickle objects. An attacker can execute arbitrary code on the system by manipulating the session ID to escape the intended session folder path and point to a maliciously crafted file.

How to fix Deserialization of Untrusted Data?

Upgrade pgadmin4 to version 8.4 or higher.

[,8.4)

Command Injection

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Command Injection when the HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. A user can run arbitrary commands on the server by passing commands as filenames.

NOTE: This issue does not affect pgAdmin's desktop mode.

How to fix Command Injection?

Upgrade pgadmin4 to version 7.7 or higher.

[,7.7)

Directory Traversal

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Directory Traversal due to improper input sanitization, which allows pgAdmin users who are authenticated to access each other's directories and files by providing relative paths.

How to fix Directory Traversal?

Upgrade pgadmin4 to version 6.19 or higher.

[,6.19)

Open Redirect

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Open Redirect. Allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user access a specially crafted URL.

How to fix Open Redirect?

Upgrade pgadmin4 to version 6.14 or higher.

[,6.14)

Arbitrary Code Injection

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Arbitrary Code Injection by allowing an unauthenticated user to call an HTTP API with a path of their choosing, such as a UNC path to a server they control on a Windows machine. This would cause an appropriately named executable in the target path to be executed by the pgAdmin server.

Note:

This issue does not affect users running pgAdmin in desktop mode.

How to fix Arbitrary Code Injection?

Upgrade pgadmin4 to version 6.17 or higher.

[,6.17)

Directory Traversal

pgadmin4 is a PostgreSQL Tools

Affected versions of this package are vulnerable to Directory Traversal. A malicious user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account has permission to write. That is because the URI to which upload requests are made fails to validate the upload path.

How to fix Directory Traversal?

Upgrade pgadmin4 to version 6.7 or higher.

[,6.7)

pgadmin4@4.24 vulnerabilities

PostgreSQL Tools

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically