CVE-2025-49146

Name of the Vulnerable Software and Affected Versions pgjdbc versions 42.7.4 through 42.7.6

Description The issue arises when the PostgreSQL JDBC driver is configured with channel binding set to required, allowing connections to proceed with authentication methods that do not support channel binding, such as password, MD5, GSS, or SSPI authentication. This could enable a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements.

Recommendations For pgjdbc versions 42.7.4 through 42.7.6, update to version 42.7.7 to resolve the issue. As a temporary workaround, consider configuring sslMode=verify-full to prevent man-in-the-middle attacks.