How to fix CVE-2025-49146?

Within 24 hours: Identify all systems running PostgreSQL JDBC Driver versions 42.7.4-42.7.6 with channel binding set to 'required' and assess exposure. Within 7 days: Upgrade PostgreSQL JDBC Driver to version 42.7.7 or later across development, staging, and production environments. Within 30 days: Conduct post-patch validation and review channel binding configurations in application properties to ensure security intent is maintained.

Is PostgreSQL affected by CVE-2025-49146?

Organizations using PostgreSQL JDBC Driver versions 42.7.4 through 42.7.6 with channel binding enabled face a man-in-the-middle attack risk that could compromise database authentication security.

CVE-2025-49146

EUVD-2025-18118 HIGH

2025-06-11 [email protected]

GHSA-hq9p-pm7w-8p54

8.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:09 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:09 euvd

EUVD-2025-18118

Patch Released

Mar 14, 2026 - 21:09 nvd

Patch available

CVE Published

Jun 11, 2025 - 15:15 nvd

HIGH 8.2

Description

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

Analysis

The PostgreSQL JDBC driver (pgjdbc) versions 42.7.4 through 42.7.6 contain an authentication bypass vulnerability where channel binding validation is incorrectly disabled, allowing man-in-the-middle attackers to intercept connections that administrators configured to require channel binding protection. Affected users running pgjdbc with channel binding set to 'required' (a non-default but security-conscious configuration) are vulnerable to credential interception and session hijacking despite believing their connections are protected. The vulnerability is fixed in version 42.7.7.

Technical Context

The pgjdbc driver implements PostgreSQL's channel binding protocol extension (part of SCRAM-SHA-256 authentication), which cryptographically binds authentication to the TLS session to prevent MITM attacks. CWE-287 (Improper Authentication) indicates the root cause is a logic flaw in the channel binding validation routine—specifically, when channelBinding is set to 'require', the driver incorrectly allows fallback to authentication methods that do not support channel binding (password, MD5, GSS, SSPI). This defeats the entire purpose of requiring channel binding, as an attacker can force a downgrade to an unprotected auth method. The affected CPE is pgjdbc versions >=42.7.4 and <42.7.7. The vulnerability affects any Java application using org.postgresql:postgresql JDBC driver in this version range with channelBinding=require in connection properties.

Affected Products

PostgreSQL JDBC Driver (pgjdbc) versions 42.7.4, 42.7.5, and 42.7.6 are vulnerable. The package is distributed via Maven Central as org.postgresql:postgresql. Affected CPE: cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.7.4:*:*:*:*:*:*:* through cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.7.6:*:*:*:*:*:*:*. Any Java application linking pgjdbc in these versions with channelBinding connection property set to 'require' is vulnerable. This includes enterprise ORM frameworks (Hibernate, JPA implementations) and application servers (Tomcat, JBoss, WebLogic) that use pgjdbc as their PostgreSQL data source driver.

Remediation

Immediate: Upgrade pgjdbc to version 42.7.7 or later. This version corrects the channel binding validation logic to properly enforce require semantics. Interim mitigations: (1) Change channelBinding connection property from 'require' to 'prefer' if acceptable for your security posture (reduces assurance but prevents downgrade), or (2) Set channelBinding=disable and enforce channel binding at the PostgreSQL server level with ssl_cert_auth or require SCRAM-SHA-256 exclusively. (3) Implement network segmentation to prevent MITM positioning (e.g., VPN, private networks, TLS certificate pinning in application code). For Maven/Gradle projects, update the dependency: org.postgresql:postgresql:42.7.7 or later. Verify no transitive dependencies lock older versions. Check vendor advisories at postgresql.org/about/news for additional context.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +41

POC: 0

Vendor Status

Ubuntu

Priority: Medium

libpgjava

Release	Status	Version
trusty	needs-triage	-
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
upstream	needs-triage	-
plucky	ignored	end of life, was needs-triage
oracular	ignored	end of life, was needs-triage
questing	needs-triage	-

Debian

Bug #1107696

libpgjava

Release	Status	Fixed Version	Urgency
bullseye	not-affected	-	-
bullseye (security)	fixed	42.2.15-1+deb11u2	-
bookworm	not-affected	-	-
trixie	fixed	42.7.7-1	-
forky, sid	fixed	42.7.10-1	-
(unstable)	fixed	42.7.7-1	-

CVE-2025-49146 vulnerability details – vuln.today

Back

CVE-2025-49146

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-49146

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code