1) Fixed LDAP authentication flow vulnerable to TLS certificate verification bypass (CVE-2025-12765). #9324

2) Fixed LDAP injection vulnerability in LDAP authentication flow (CVE-2025-12764). #9325

Author: khushboovashi

docs/en_US/ldap.rst

@@ -87,6 +87,8 @@ There are 3 ways to configure LDAP:
    "LDAP_KEY_FILE","Specifies the path to the server private key file. This parameter
    is applicable only if you are using *ldaps* as connection protocol or you have
    set *LDAP_USE_STARTTLS* parameter to *True*."
+   "LDAP_CERT_VALIDATE", "Set this parameter to *False* if you want to bypass
+   the TLS certificate validation. By default it is set to True."
    "LDAP_IGNORE_MALFORMED_SCHEMA", "Some flaky LDAP servers returns malformed schema.
    If this parameter set to *True*, no exception will be raised and schema is thrown away
    but authentication will be done. This parameter should remain False, as recommended."

docs/en_US/release_notes_9_10.rst

@@ -42,4 +42,6 @@ Bug fixes
   | `Issue #9281 <https://github.com/pgadmin-org/pgadmin4/issues/9281>`_ -  Fixed an issue where the last used storage directory was reset to blank, leading to access denied errors during backup or restore operations.
   | `Issue #9304 <https://github.com/pgadmin-org/pgadmin4/issues/9304>`_ -  Fixed an issue that prevented assigning multiple users to an RLS policy.
   | `Issue #9320 <https://github.com/pgadmin-org/pgadmin4/issues/9320>`_ -  Fixed remote code execution vulnerability when restoring PLAIN-format SQL dumps in server mode (CVE-2025-12762).
-  | `Issue #9323 <https://github.com/pgadmin-org/pgadmin4/issues/9323>`_ -  Fixed Command injection vulnerability allowing arbitrary command execution on Windows (CVE-2025-12763).
+  | `Issue #9323 <https://github.com/pgadmin-org/pgadmin4/issues/9323>`_ -  Fixed Command injection vulnerability allowing arbitrary command execution on Windows (CVE-2025-12763).
+  | `Issue #9324 <https://github.com/pgadmin-org/pgadmin4/issues/9324>`_ -  Fixed LDAP authentication flow vulnerable to TLS certificate verification bypass (CVE-2025-12765).
+  | `Issue #9325 <https://github.com/pgadmin-org/pgadmin4/issues/9325>`_ -  Fixed LDAP injection vulnerability in LDAP authentication flow (CVE-2025-12764).

web/config.py

@@ -754,6 +754,9 @@
 LDAP_CERT_FILE = ''
 LDAP_KEY_FILE = ''
 
+# TLS/SSL certificate Validation (True/False),
+# Make it false if certificate validation is not required.
+LDAP_CERT_VALIDATE = True
 ##########################################################################
 
 # Some flaky LDAP servers returns malformed schema. If True, no exception

web/pgadmin/authenticate/ldap.py

@@ -16,6 +16,7 @@
 from ldap3.core.exceptions import LDAPSocketOpenError, LDAPBindError,\
     LDAPInvalidScopeError, LDAPAttributeError, LDAPInvalidFilterError,\
     LDAPStartTLSError, LDAPSSLConfigurationError
+from ldap3.utils.conv import escape_filter_chars
 from flask_babel import gettext
 from urllib.parse import urlparse
 
@@ -212,10 +213,8 @@ def __configure_tls(self):
         ca_cert_file = getattr(config, 'LDAP_CA_CERT_FILE', None)
         cert_file = getattr(config, 'LDAP_CERT_FILE', None)
         key_file = getattr(config, 'LDAP_KEY_FILE', None)
-        cert_validate = ssl.CERT_NONE
-
-        if ca_cert_file and cert_file and key_file:
-            cert_validate = ssl.CERT_REQUIRED
+        cert_required = getattr(config, 'LDAP_CERT_VALIDATE', True)
+        cert_validate = ssl.CERT_REQUIRED if cert_required else ssl.CERT_NONE
 
         try:
             tls = Tls(
@@ -278,8 +277,10 @@ def search_ldap_user(self):
             elif not search_base_dn or search_base_dn == '<Search-Base-DN>':
                 search_base_dn = config.LDAP_BASE_DN
 
-            search_filter = "({0}={1})".format(config.LDAP_USERNAME_ATTRIBUTE,
-                                               self.username)
+            search_filter = "({0}={1})".format(
+                config.LDAP_USERNAME_ATTRIBUTE,
+                escape_filter_chars(self.username)
+            )
             if config.LDAP_SEARCH_FILTER:
                 search_filter = "(&{0}{1})".format(search_filter,
                                                    config.LDAP_SEARCH_FILTER)