Overview
A critical SQL injection vulnerability has been identified in phpPgAdmin version 7.13.0 and earlier. This vulnerability, tracked as CVE-2025-60797, allows an authenticated attacker to execute arbitrary SQL commands by injecting malicious code into the $_REQUEST['query'] parameter. This can lead to complete database compromise, data theft, or privilege escalation.
Technical Details
The vulnerability exists within the dataexport.php file at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without proper sanitization or parameterization. The vulnerable code snippet is:
$data->conn->Execute($_REQUEST['query']);This direct execution of unsanitized input allows an attacker to inject malicious SQL code, effectively bypassing any intended security measures. Exploitation requires an attacker to be authenticated to the phpPgAdmin instance.
CVSS Analysis
As of the publication of this article, the official CVSS score for CVE-2025-60797 is still pending. However, given the nature of the vulnerability (SQL injection allowing arbitrary command execution), it is expected to receive a high to critical severity score.
We will update this section when the CVSS score is officially published by NVD or similar vulnerability databases.
Possible Impact
The exploitation of this SQL injection vulnerability can have severe consequences, including:
- Complete Database Compromise: An attacker can gain full control over the PostgreSQL database.
- Data Theft: Sensitive data stored in the database can be extracted and exfiltrated.
- Privilege Escalation: An attacker may be able to escalate their privileges within the database system.
- Denial of Service: By injecting malicious SQL commands, an attacker could potentially disrupt the normal operation of the database server.
Mitigation and Patch Steps
To mitigate this vulnerability, the following steps are recommended:
- Upgrade phpPgAdmin: Upgrade to a patched version of phpPgAdmin as soon as it becomes available. Check the official phpPgAdmin website for updates.
- Input Sanitization: If an upgrade is not immediately possible, implement strict input validation and sanitization for the
$_REQUEST['query']parameter. Use parameterized queries or prepared statements to prevent SQL injection. - Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) to filter out malicious SQL injection attempts. Configure the WAF with rules specific to preventing SQL injection attacks.
- Restrict Access: Limit access to phpPgAdmin to only authorized users and networks. Implement strong authentication measures and regularly review user permissions.
