Skip to main content

PostgreSQL CVE-2025-49146

| EUVDEUVD-2025-18118 HIGH
Improper Authentication (CWE-287)
2025-06-11 security-advisories@github.com GHSA-hq9p-pm7w-8p54
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
8.2 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 14, 2026 - 21:09 euvd
EUVD-2025-18118
Analysis Generated
Mar 14, 2026 - 21:09 vuln.today
Patch released
Mar 14, 2026 - 21:09 nvd
Patch available
CVE Published
Jun 11, 2025 - 15:15 nvd
HIGH 8.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,112 maven packages depend on org.postgresql:postgresql (398 direct, 714 indirect)

Ecosystem-wide dependent count for version 42.7.4.

DescriptionGitHub Advisory

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

AnalysisAI

The PostgreSQL JDBC driver (pgjdbc) versions 42.7.4 through 42.7.6 contain an authentication bypass vulnerability where channel binding validation is incorrectly disabled, allowing man-in-the-middle attackers to intercept connections that administrators configured to require channel binding protection. Affected users running pgjdbc with channel binding set to 'required' (a non-default but security-conscious configuration) are vulnerable to credential interception and session hijacking despite believing their connections are protected. The vulnerability is fixed in version 42.7.7.

Technical ContextAI

The pgjdbc driver implements PostgreSQL's channel binding protocol extension (part of SCRAM-SHA-256 authentication), which cryptographically binds authentication to the TLS session to prevent MITM attacks. CWE-287 (Improper Authentication) indicates the root cause is a logic flaw in the channel binding validation routine—specifically, when channelBinding is set to 'require', the driver incorrectly allows fallback to authentication methods that do not support channel binding (password, MD5, GSS, SSPI). This defeats the entire purpose of requiring channel binding, as an attacker can force a downgrade to an unprotected auth method. The affected CPE is pgjdbc versions >=42.7.4 and <42.7.7. The vulnerability affects any Java application using org.postgresql:postgresql JDBC driver in this version range with channelBinding=require in connection properties.

RemediationAI

Immediate: Upgrade pgjdbc to version 42.7.7 or later. This version corrects the channel binding validation logic to properly enforce require semantics. Interim mitigations: (1) Change channelBinding connection property from 'require' to 'prefer' if acceptable for your security posture (reduces assurance but prevents downgrade), or (2) Set channelBinding=disable and enforce channel binding at the PostgreSQL server level with ssl_cert_auth or require SCRAM-SHA-256 exclusively. (3) Implement network segmentation to prevent MITM positioning (e.g., VPN, private networks, TLS certificate pinning in application code). For Maven/Gradle projects, update the dependency: org.postgresql:postgresql:42.7.7 or later. Verify no transitive dependencies lock older versions. Check vendor advisories at postgresql.org/about/news for additional context.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Vendor StatusVendor

Ubuntu

Priority: Medium
libpgjava
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
upstream needs-triage -
plucky ignored end of life, was needs-triage
oracular ignored end of life, was needs-triage
questing needs-triage -

Debian

Bug #1107696
libpgjava
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 42.2.15-1+deb11u2 -
bookworm not-affected - -
trixie fixed 42.7.7-1 -
forky, sid fixed 42.7.10-1 -
(unstable) fixed 42.7.7-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2025-49146 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy