Fixed Command injection vulnerability allowing arbitrary command execution on Windows (CVE-2025-12763). #9323

Author: yogeshmahajan-1903

docs/en_US/release_notes_9_10.rst

@@ -41,4 +41,5 @@ Bug fixes
   | `Issue #9240 <https://github.com/pgadmin-org/pgadmin4/issues/9240>`_ -  Fixed an issue where the Debian build process failed with a "Sphinx module not found" error when using a Python virtual environment.
   | `Issue #9281 <https://github.com/pgadmin-org/pgadmin4/issues/9281>`_ -  Fixed an issue where the last used storage directory was reset to blank, leading to access denied errors during backup or restore operations.
   | `Issue #9304 <https://github.com/pgadmin-org/pgadmin4/issues/9304>`_ -  Fixed an issue that prevented assigning multiple users to an RLS policy.
-  | `Issue #9320 <https://github.com/pgadmin-org/pgadmin4/issues/9320>`_ -  Fixed remote code execution vulnerability when restoring PLAIN-format SQL dumps in server mode (CVE-2025-12762).
+  | `Issue #9320 <https://github.com/pgadmin-org/pgadmin4/issues/9320>`_ -  Fixed remote code execution vulnerability when restoring PLAIN-format SQL dumps in server mode (CVE-2025-12762).
+  | `Issue #9323 <https://github.com/pgadmin-org/pgadmin4/issues/9323>`_ -  Fixed Command injection vulnerability allowing arbitrary command execution on Windows (CVE-2025-12763).

web/pgadmin/misc/bgprocess/process_executor.py

@@ -33,6 +33,7 @@
 # To make print function compatible with python2 & python3
 import sys
 import os
+import subprocess
 from datetime import datetime, timedelta, tzinfo, timezone
 from subprocess import Popen, PIPE
 from threading import Thread
@@ -319,7 +320,9 @@ def execute(argv):
 
         kwargs = dict()
         kwargs['close_fds'] = False
-        kwargs['shell'] = True if _IS_WIN else False
+        kwargs['shell'] = False
+        if _IS_WIN:
+            kwargs['creationflags'] = subprocess.CREATE_NO_WINDOW
 
         # We need environment variables & values in string
         kwargs['env'] = os.environ.copy()

web/pgadmin/tools/restore/__init__.py

@@ -336,7 +336,7 @@ def get_restore_util_args(data, manager, server, driver, conn, filepath):
                      False)
         set_multiple('indexes', '--index', data, args, driver, conn, False)
 
-    args.append(fs_short_path(filepath))
+    args.append(filepath)
 
     return args
 

web/pgadmin/utils/__init__.py

@@ -311,15 +311,19 @@ def filename_with_file_manager_path(_file, create_file=False,
     elif not os.path.isabs(_file):
         _file = os.path.join(document_dir(), _file)
 
-    def short_filepath():
-        short_path = fs_short_path(_file)
+    def short_filepath(file=_file):
+        short_path = fs_short_path(file)
         # fs_short_path() function may return empty path on Windows
         # if directory doesn't exists. In that case we strip the last path
         # component and get the short path.
         if os.name == 'nt' and short_path == '':
-            base_name = os.path.basename(_file)
-            dir_name = os.path.dirname(_file)
-            short_path = fs_short_path(dir_name) + '\\' + base_name
+            base_name = os.path.basename(file)
+            dir_name = os.path.dirname(file)
+            dir_short_path = fs_short_path(dir_name)
+            if dir_short_path == '' and file != "":
+                short_path = os.path.join(short_filepath(dir_name), base_name)
+            else:
+                short_path = os.path.join(dir_short_path, base_name)
         return short_path
 
     if create_file: