CVE-2025-2506

Name of the Vulnerable Software and Affected Versions pglogical versions 3.x BDR/PGD versions 4 and 5

Description The issue arises when pglogical attempts to replicate data without verifying if it is using a replication connection. This allows a user with CONNECT access to a database configured for replication to execute the pglogical command and obtain read access to replicated tables. An attacker would need at least CONNECT permissions to a database configured for replication and must be familiar with pglogical3/BDR specific commands and be able to decode the binary protocol to exploit the vulnerability.

Recommendations For pglogical version 3.x, consider restricting access to the replication functionality until a proper verification mechanism is implemented. For BDR/PGD versions 4 and 5, restrict access to the integrated pglogical codebase to minimize the risk of exploitation. As a temporary workaround, consider disabling the replication feature for databases configured for replication until a patch is available.