Login Sign Up

CVE-2025-12764

7.5 HIGH
Denial of Service

📋 TL;DR

pgAdmin versions up to 9.9 have an LDAP injection vulnerability in the authentication flow that allows attackers to inject special LDAP characters in usernames. This can cause denial of service by making the LDAP server and client process excessive data. All pgAdmin deployments using LDAP authentication are affected.

💻 Affected Systems

Products:
  • pgAdmin
Versions: <= 9.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using LDAP authentication. Local authentication and other auth methods are not vulnerable.

📦 What is this software?

Pgadmin 4 by Pgadmin

View all CVEs affecting Pgadmin 4 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for pgAdmin authentication, potentially affecting all users and causing service disruption until the LDAP server recovers from resource exhaustion.

🟠

Likely Case

Temporary authentication service disruption for pgAdmin users, requiring LDAP server restart and potentially affecting legitimate user access.

🟢

If Mitigated

Minimal impact with proper input validation and LDAP server resource limits in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to attempt authentication with malicious username payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.10 or later

Vendor Advisory: https://github.com/pgadmin-org/pgadmin4/issues/9325

Restart Required: Yes

Instructions:

1. Upgrade pgAdmin to version 9.10 or later. 2. Restart pgAdmin service. 3. Verify LDAP authentication works with normal credentials.

🔧 Temporary Workarounds

Disable LDAP Authentication

all

Temporarily switch to local authentication or other auth methods until patching is possible.

Modify pgAdmin configuration to use non-LDAP authentication

LDAP Server Input Filtering

all

Configure LDAP server to filter or reject special characters in authentication requests.

Configure LDAP server ACLs and input validation rules

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to pgAdmin LDAP authentication endpoints
  • Deploy WAF or reverse proxy with LDAP injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check pgAdmin version and verify LDAP authentication is enabled in configuration.

Check Version:

pgadmin4 --version

Verify Fix Applied:

Verify pgAdmin version is 9.10 or later and test LDAP authentication with normal credentials.

📡 Detection & Monitoring

Log Indicators:

  • Unusual LDAP query patterns in pgAdmin logs
  • Failed authentication attempts with special characters in username
  • LDAP server resource exhaustion alerts

Network Indicators:

  • Multiple authentication attempts with payloads containing LDAP special characters
  • Unusually large LDAP queries from pgAdmin server

SIEM Query:

source="pgadmin" AND (username CONTAINS "*" OR username CONTAINS "(" OR username CONTAINS ")")

📊 Metadata

CVE ID: CVE-2025-12764
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-90
EPSS Score: 0.1% exploit probability (28.6th percentile)
Published: November 13, 2025
Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12764, you might also want to check these:

CVE-2024-54852 9.8

This LDAP injection vulnerability in Teedy allows unauthenticated attackers to manipulate LDAP queri...

Same vulnerability type (CWE-90)
CVE-2021-43350 9.8

CVE-2021-43350 is an LDAP injection vulnerability in Apache Traffic Control Traffic Ops that allows ...

Same vulnerability type (CWE-90)
CVE-2024-33868 9.8

This LDAP injection vulnerability in linqi on Windows allows attackers to manipulate LDAP queries, p...

Same vulnerability type (CWE-90)