CVE-2025-12764 — pgAdmin is affected by an LDAP injection vulnerability

Description

pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS.

How to fix CVE-2025-12764

To remediate CVE-2025-12764, upgrade the affected package to a fixed version below.

—upgrade to 9.10 or later

Is CVE-2025-12764 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 9.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-12764
PATCHgithub.com/pgadmin-org/pgadmin4
WEBgithub.com/pgadmin-org/pgadmin4/commit/09d2b7eeb0e330df73b1aef0cba57788fde52b6b
WEBgithub.com/pgadmin-org/pgadmin4/issues/9325