Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.
Analysis
Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.
Technical ContextAI
This vulnerability is classified as Untrusted Search Path (CWE-426).
RemediationAI
Monitor vendor advisories for patches. Apply mitigations such as network segmentation, access restrictions, and monitoring.
PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by send
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Se
PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user
Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value,
Stack overflow in PgBouncer before 1.25.2 enables malicious PostgreSQL backend servers to trigger remote code execution
When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries
Remote denial-of-service in PgBouncer versions before 1.25.2 allows unauthenticated attackers to crash the connection po
PgBouncer before version 1.25.2 crashes when a backend PostgreSQL server sends an error response lacking an SQLSTATE fie
The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a d
PgBouncer before version 1.25.2 fails to properly restrict the KILL_CLIENT admin command to authorized users, allowing a
Same weakness CWE-426 – Untrusted Search Path
View allSame technique Information Disclosure
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| questing | needs-triage | - |
| upstream | released | 1.25.1-1 |
| plucky | ignored | end of life, was needs-triage |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 1.15.0-1+deb11u2 | - |
| bullseye (security) | fixed | 1.15.0-1+deb11u2 | - |
| bookworm | fixed | 1.18.0-1+deb12u1 | - |
| trixie | fixed | 1.24.1-1+deb13u1 | - |
| forky, sid | fixed | 1.25.1-1 | - |
| (unstable) | fixed | 1.25.1-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-201089