CVE-2024-9014

OAuth2 client id and secret exposed through the web browser in pgAdmin 4

Severity Score

9.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

MITRE
PS

pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.

This update for pgadmin4 fixes the following issues. Fixed socket.io: unhandled 'error' event. Fixed requirejs: prototype pollution via function config. Fixed requirejs: prototype pollution via function s.contexts._.configure. Fixed axios: server-side request forgery due to requests for path relative URLs being processed as protocol relative URLs in axios. Fixed micromatch: vulnerable to Regular Expression Denial of Service. Fixed braces: fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. Fixed webpack: DOM clobbering gadget in AutoPublicPathRuntimeModule could lead to XSS Fixed elliptic: ECDSA signature verification error due to leading zero may reject legitimate transactions in elliptic. Fixed elliptic: Missing Validation in Elliptic's EDDSA Signature Verification. Fixed OAuth2 issue that could lead to information leak.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-09-19 CVE Reserved
2024-09-23 CVE Published
2024-09-23 CVE Updated
2024-09-26 First Exploit
2025-07-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-522: Insufficiently Protected Credentials

CAPEC

References (4)

URL	Tag	Source
https://github.com/pgadmin-org/pgadmin4/issues/7945	Issue Tracking

URL	Date	SRC
https://packetstorm.news/files/id/181851	2024-09-26
https://github.com/EQSTLab/CVE-2024-9014	2024-09-26
https://github.com/r0otk3r/CVE-2024-9014	2025-07-12

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pgadmin.org Search vendor "Pgadmin.org"		PgAdmin 4 Search vendor "Pgadmin.org" for product "PgAdmin 4"				< 8.12 Search vendor "Pgadmin.org" for product "PgAdmin 4" and version " < 8.12"		en		Affected