Cyber Resilience

CVE-2024-2044

CriticalPublic PoC

Published: 07 March 2024

Published
07 March 2024
Modified
19 September 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.8347 99.3th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2044 is a critical-severity Path Traversal: 'dir\..\..\filename' (CWE-31) vulnerability in Pgadmin Pgadmin 4. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

pgAdmin versions 8.3 and earlier are affected by a path-traversal flaw in the session-handling code that deserializes user sessions. The vulnerability stems from unsafe handling of pickle objects and is tracked under CWE-31, carrying a CVSS 3.1 score of 9.9.

On Windows, an unauthenticated remote attacker can supply a crafted path to load and deserialize arbitrary pickle objects, resulting in code execution. On POSIX or Linux systems the same outcome requires an authenticated attacker who can first upload a malicious pickle file before triggering deserialization.

Public references including the pgadmin-org GitHub issue 7258, a Shielder advisory, and Fedora package-announce lists document the issue and link to subsequent updates. The associated EPSS score stands at 0.8347 with no indicated rise from a lower baseline.

EU & UK References

Vulnerability details

pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If…

more

the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them, and gain code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pgadmin
pgadmin 4
≤ 8.4
fedoraproject
fedora
40

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References