CVE-2025-0218

CVE-2025-0218 is a vulnerability in pgAgent, a job scheduling agent for PostgreSQL, affecting versions prior to 4.2.3. When batch jobs are executed, pgAgent creates a script in a temporary directory, but it uses an insufficiently seeded random number generator to generate the directory name. This predictable naming allows a local attacker to pre-create the directory, preventing pgAgent from writing the script and thus blocking job execution, which disrupts scheduled tasks. The issue is linked to CWE-340 (Generation of Predictable Numbers) and CWE-330 (Use of Insufficiently Random Values).

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required (AV:L/AC:L/UI:N). Successful exploitation results in a denial-of-service condition with high availability impact (A:H), as targeted batch jobs fail to run, but there is no impact on confidentiality or integrity (C:N/I:N). The CVSS v3.1 base score is 5.5, classifying it as medium severity, limited to the local scope (S:U).

Mitigation involves upgrading to pgAgent version 4.2.3 or later, where the random number generator seeding has been improved, as detailed in the fixing commit at https://github.com/pgadmin-org/pgagent/commit/1ecd193a2be3a3dc9e98f369495e1a792e6d508c. Debian LTS users should refer to the security advisory at https://lists.debian.org/debian-lts-announce/2025/10/msg00018.html for package updates and additional guidance.