Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.
AnalysisAI
Stack overflow in PgBouncer before 1.25.2 enables malicious PostgreSQL backend servers to trigger remote code execution via SCRAM authentication nonce manipulation. The flaw stems from incorrect strlcat() return value checking during SCRAM client-final-message construction. Remote unauthenticated exploitation is possible (CVSS 8.1, AV:N/PR:N) but requires high attack complexity - specifically, the attacker must control or compromise the backend PostgreSQL server PgBouncer connects to. No public exploit identified at time of analysis; EPSS and KEV data not available in this assessment.
Technical ContextAI
PgBouncer is a lightweight PostgreSQL connection pooler. The vulnerability affects the SCRAM (Salted Challenge Response Authentication Mechanism) implementation, which PgBouncer uses for secure authentication with PostgreSQL backends. CWE-121 indicates a stack-based buffer overflow. The strlcat() function returns the total length of the string it tried to create, not just the number of characters appended. The SCRAM code failed to validate this return value correctly when concatenating components of the client-final-message. When a malicious backend sends a server-final-message containing an abnormally long nonce value, the unchecked strlcat() can overflow the stack buffer allocated for message construction. CPE string (cpe:2.3:a:n/a:pgbouncer:*:*:*:*:*:*:*:*) indicates all PgBouncer versions before 1.25.2 are affected. This is a server-side vulnerability in the connection pooler's authentication handshake logic, not in PostgreSQL itself.
RemediationAI
Upgrade PgBouncer to version 1.25.2 or later, which correctly validates strlcat() return values in SCRAM authentication code. Download from official PgBouncer releases and review the changelog at https://www.pgbouncer.org/changelog.html#pgbouncer-125x for upgrade procedures. If immediate patching is not feasible, implement network segmentation to ensure PgBouncer only connects to trusted, hardened PostgreSQL backend servers - specifically, place backends in isolated VLANs with strict ingress controls to prevent compromise. Disable SCRAM authentication and use legacy md5 or trust methods ONLY if backend servers are in a fully trusted security zone (this degrades authentication security and should be temporary). Monitor PgBouncer logs for authentication anomalies or unexpected server-final-message patterns during SCRAM handshakes. Note that authentication downgrade introduces password transmission risks and should only be used with encrypted connections (TLS) to backends.
PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by send
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Se
PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user
Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value,
When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries
Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to
Remote denial-of-service in PgBouncer versions before 1.25.2 allows unauthenticated attackers to crash the connection po
PgBouncer before version 1.25.2 crashes when a backend PostgreSQL server sends an error response lacking an SQLSTATE fie
The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a d
PgBouncer before version 1.25.2 fails to properly restrict the KILL_CLIENT admin command to authorized users, allowing a
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28877
GHSA-mhmx-mjv6-w337