Published about 2 months ago
Category: Cross-Site Request Forgery
Source: GitHub
Severity: Severe

Vulnerability in pghero

The PgHero dashboard is vulnerable to CSRF with non-session based authentication methods.


The PgHero dashboard is vulnerable to cross-site request forgery (CSRF). This affects the Docker image, Linux packages, and in specific cases, the Ruby gem. The Ruby gem is vulnerable with non-session based authentication methods like basic authentication - session-based authentication methods (like Devise’s default authentication) are not affected.

A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, actions include:

  1. Canceling running queries
  2. Running EXPLAIN on queries (without seeing the results, but can be used for denial of service and other attacks)
  3. Resetting query stats (running pg_stat_statements_reset())
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 2.7.0

Unaffected Versions