CVE-2025-12819

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions PgBouncer versions prior to 1.25.1

Description A flaw exists in PgBouncer’s authentication process due to an untrusted search path within the auth query connection handler. This allows an unauthenticated attacker to execute arbitrary SQL code during authentication by manipulating the search path parameter in the StartupMessage. The search path parameter is used to define the schema search order for database objects.

Recommendations Upgrade to PgBouncer version 1.25.1 or later.

Fix

Untrusted Search Path

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-426

Related Identifiers

AZL-71249

AZL-71438

BDU:2025-15208

BIT-PGBOUNCER-2025-12819

CVE-2025-12819

DLA-4422-1

Affected Products

Alt Linux

Debian

Pgbouncer

Red Os

CVE-2025-12819

Weakness Enumeration

Related Identifiers

Affected Products

References · 35