轉發 國家資安資訊分享與分析中心 資安訊息警訊 NISAC-200-202601-00000012

[內容說明]
研究人員發現PostgreSQL圖形化介面工具pgAdmin存在程式碼注入(Code Injection)漏洞(CVE-2025-13780)。當系統處於伺服器模式(Server Mode)下，取得一般權限之遠端攻擊者可上傳特製惡意備份檔，後續當觸發PLAIN格式備份檔還原功能時，系統會解析特製備份檔，進而於pgAdmin主機上執行任意程式碼，請儘速確認並進行修補。

[影響平台]
pgAdmin 9.10(含)以下版本

[建議措施]
更新pgAdmin至9.11(含)以上版本

[參考資料]
1. https://nvd.nist.gov/vuln/detail/CVE-2025-13780
2. https://www.endorlabs.com/learn/when-regex-isnt-enough-how-we-discovered-cve-2025-13780-in-pgadmin

Forwarded from the National Cybersecurity Information Sharing and Analysis Center: Cybersecurity Alert NISAC-200-202601-00000012

[Content Description]
Researchers have discovered a code injection vulnerability (CVE-2025-13780) in the PostgreSQL graphical interface tool pgAdmin. When the system is in server mode, a remote attacker with normal privileges can upload a specially crafted malicious backup file. Subsequently, when the PLAIN format backup file restoration function is triggered, the system will parse the specially crafted backup file, thereby executing arbitrary code on the pgAdmin host. Please confirm and patch this vulnerability as soon as possible.

[Affected Platforms]
pgAdmin versions 9.10 and below

[Recommended Actions]
Update pgAdmin to version 9.11 or above

[References]
1. https://nvd.nist.gov/vuln/detail/CVE-2025-13780
2. https://www.endorlabs.com/learn/when-regex-isnt-enough-how-we-discovered-cve-2025-13780-in-pgadmin