pgAdmin 4 Session Deserialization Remote Code Execution (CVE-2024-2044)
Overview
pgAdmin 4 Session Deserialization Remote Code Execution, tracked as CVE-2024-2044, affects pgAdmin 4 versions before 8.4. pgAdmin is a widely used administration interface for PostgreSQL, so code execution in the pgAdmin server context can put database administration workflows and connected environments at risk.
Vulnerability Overview
CVE-2024-2044 is a path traversal and unsafe deserialization issue in pgAdmin 4 session handling. Affected versions store user sessions as serialized pickle objects and use session cookie data to locate and deserialize session files.
According to the official record, Windows deployments can allow an unauthenticated attacker to load and deserialize remote pickle objects. On POSIX/Linux systems, an authenticated attacker can upload pickle objects, trigger deserialization, and gain code execution.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.9. Successful exploitation can allow remote code execution with high confidentiality, integrity, and availability impact.
Because pgAdmin is commonly connected to database administration workflows, compromise of the application server can expose database credentials, administrative access, and internal network paths.
Vulnerability Scope
The affected product is pgAdmin 4 before version 8.4. Fixed deployments should upgrade to pgAdmin 4 8.4 or later.
The highest-risk systems are pgAdmin servers exposed to untrusted networks, especially deployments where session storage, upload behavior, or platform-specific file path handling can be abused.
Lab Focus
This Hackviser lab focuses on understanding how session deserialization and path traversal can combine into remote code execution. You will practice identifying affected pgAdmin versions, recognizing the platform-specific exploitation conditions, and connecting unsafe deserialization risk to database administration security.