Fixed a remote code execution issue in the Query Tool and Cloud Deployment (CVE-2025-2945). #8603

akshay-joshi · akshay-joshi · commit 75be0bc22d3d · 2025-03-31T11:33:37.000+05:30
diff --git a/docs/en_US/release_notes_9_2.rst b/docs/en_US/release_notes_9_2.rst
@@ -50,3 +50,4 @@ Bug fixes
   | `Issue #8577 <https://github.com/pgadmin-org/pgadmin4/issues/8577>`_ -  Fixed an issue where the upgrade_check API returned an unexpected keyword argument 'cafile' due to changes in the urllib package supporting Python v3.13.
   | `Issue #8597 <https://github.com/pgadmin-org/pgadmin4/issues/8597>`_ -  Fixed an issue where delete/rename was done on wrong file after sorting in Storage Manager.
   | `Issue #8602 <https://github.com/pgadmin-org/pgadmin4/issues/8602>`_ -  Fixed an XSS vulnerability issue in the Query Tool and View/Edit Data (CVE-2025-2946).
+  | `Issue #8603 <https://github.com/pgadmin-org/pgadmin4/issues/8603>`_ -  Fixed a remote code execution issue in the Query Tool and Cloud Deployment (CVE-2025-2945).
diff --git a/web/pgacloud/providers/google.py b/web/pgacloud/providers/google.py
@@ -136,8 +136,12 @@ def _create_google_postgresql_instance(self, args):
         credentials = self._get_credentials(self._scopes)
         service = discovery.build('sqladmin', 'v1beta4',
                                   credentials=credentials)
-        high_availability = \
-            'REGIONAL' if eval(args.high_availability) else 'ZONAL'
+
+        _high_availability = args.high_availability.lower() in (
+            'true', '1') if isinstance(args.high_availability, str
+                                       ) else args.high_availability
+
+        high_availability = 'REGIONAL' if _high_availability else 'ZONAL'
 
         db_password = self._database_password \
             if self._database_password is not None else args.db_password
diff --git a/web/pgadmin/tools/sqleditor/__init__.py b/web/pgadmin/tools/sqleditor/__init__.py
@@ -2156,7 +2156,8 @@ def start_query_download_tool(trans_id):
                 sql = value
             if key == 'query_commited':
                 query_commited = (
-                    eval(value) if isinstance(value, str) else value
+                    value.lower() in ('true', '1') if isinstance(
+                        value, str) else value
                 )
         if not sql:
             sql = trans_obj.get_sql(sync_conn)
