Description
Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied api_key_file and api_url preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by pointing api_key_file at any path readable by the pgAdmin process, or coerce pgAdmin into making requests to internal targets (e.g. cloud metadata services such as 169.254.169.254) by setting api_url, exploiting the chat path and model-list endpoints. Fix restricts api_key_file to the user's private storage (server mode) or home directory (desktop mode), enforces a printable-ASCII key shape and a 1024-byte read cap, and gates api_url against a configurable allow-list (config.ALLOWED_LLM_API_URLS) at every entry point. This issue affects pgAdmin 4: before 9.15.
Authenticated pgAdmin user. LFI is bounded to files readable by the pgAdmin process; SSRF egresses from the pgAdmin process. S:U and I:N reflect that impact stays within pgAdmin's process scope and is read-only. Network-positioning impact (e.g., reaching cloud metadata) depends on deployment topology and is not assumed in the base score.
Authenticated pgAdmin user. LFI is bounded to files readable by the pgAdmin process; SSRF egresses from the pgAdmin process. S:U and I:N reflect that impact stays within pgAdmin's process scope and is read-only. Network-positioning impact (e.g., reaching cloud metadata) depends on deployment topology and is not assumed in the base score.
Product status
9.13 (custom) before 9.15
Credits
j3seer
References
github.com/pgadmin-org/pgadmin4/issues/9900