pgAdmin 4 Deserialization Vulnerability in FileBackedSessionManager Leading to Remote Code Execution

A deserialization vulnerability has been identified in pgAdmin 4 versions prior to 9.15, specifically within the FileBackedSessionManager. This issue arises from the session manager's unsafe deserialization of session-file contents using Python's standard object-serialization module. The deserialization occurred before any HMAC integrity check, allowing an authenticated user with write access to the sessions directory to introduce a crafted serialized payload. This payload could then be executed as operating-system level remote code under the pgAdmin process identity.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running under the identity of the pgAdmin process.

Remediation

Users can upgrade to pgAdmin 4 version 9.15 or later to address this vulnerability. The release notes for version 9.15 include details about this fix.