How to fix CVE-2025-12819?

Within 24 hours: Identify all systems running PgBouncer versions before 1.25.1 and document their criticality and exposure level. Within 7 days: Implement network segmentation to restrict PgBouncer access to trusted application servers only, and consider disabling the search_path parameter if operationally feasible. Within 30 days: Upgrade to PgBouncer 1.25.1 or later as soon as the patch becomes available, or migrate to an alternative connection pooling solution if upgrade timeline is uncertain.

Is Ubuntu affected by CVE-2025-12819?

CVE-2025-12819 affects PgBouncer, a critical database connection pooling service, allowing unauthenticated attackers to execute arbitrary SQL commands during the authentication phase.

CVE-2025-12819

EUVD-2025-201089 HIGH

2025-12-03 f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 15, 2026 - 16:14 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 16:14 euvd

EUVD-2025-201089

CVE Published

Dec 03, 2025 - 19:15 nvd

HIGH 7.5

Description

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

Analysis

Technical Context

This vulnerability is classified as Untrusted Search Path (CWE-426).

Affected Products

Affected products: Pgbouncer Pgbouncer

Remediation

Monitor vendor advisories for patches. Apply mitigations such as network segmentation, access restrictions, and monitoring.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +38

POC: 0

Vendor Status

Ubuntu

Priority: Medium

pgbouncer

Release	Status	Version
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
questing	needs-triage	-
upstream	released	1.25.1-1
plucky	ignored	end of life, was needs-triage

Debian

pgbouncer

Release	Status	Fixed Version	Urgency
bullseye	fixed	1.15.0-1+deb11u2	-
bullseye (security)	fixed	1.15.0-1+deb11u2	-
bookworm	fixed	1.18.0-1+deb12u1	-
trixie	fixed	1.24.1-1+deb13u1	-
forky, sid	fixed	1.25.1-1	-
(unstable)	fixed	1.25.1-1	-

DLA-4422-1

CVE-2025-12819 vulnerability details – vuln.today

Back

CVE-2025-12819

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-12819

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code