CVE-2025-12819 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2025-12819?

CVE-2025-12819 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands during PgBouncer authentication by manipulating the search_path parameter. It affects all PgBouncer instances before version 1.25.1 that accept connections from untrusted networks. Attackers can potentially gain unauthorized database access or execute malicious SQL.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands during PgBouncer authentication by manipulating the search_path parameter. It affects all PgBouncer instances before version 1.25.1 that accept connections from untrusted networks. Attackers can potentially gain unauthorized database access or execute malicious SQL.

💻 Affected Systems

Products:

PgBouncer

Versions: All versions before 1.25.1

Operating Systems: All operating systems running PgBouncer

Default Config Vulnerable: ⚠️ Yes

Notes: All PgBouncer configurations that accept connections from potentially untrusted sources are vulnerable. The vulnerability exists in the auth_query connection handler.

📦 What is this software?

Pgbouncer by Pgbouncer

View all CVEs affecting Pgbouncer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, or deletion, and potential privilege escalation to underlying database systems.

🟠

Likely Case

Unauthorized SQL execution leading to data exfiltration, authentication bypass, or denial of service against the database.

🟢

If Mitigated

Limited impact if network access controls restrict connections to trusted sources only, preventing external exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a malicious StartupMessage with crafted search_path parameter during authentication phase.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.25.1

Vendor Advisory: https://www.pgbouncer.org/changelog.html#pgbouncer-125x

Restart Required: Yes

Instructions:

1. Download PgBouncer 1.25.1 or later from official sources. 2. Stop the PgBouncer service. 3. Install the updated version. 4. Restart the PgBouncer service. 5. Verify the version is 1.25.1 or higher.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict PgBouncer connections to trusted IP addresses only using firewall rules or PgBouncer's listen_addr configuration.

iptables -A INPUT -p tcp --dport 6432 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 6432 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate PgBouncer from untrusted networks
Monitor authentication logs for unusual search_path parameters or failed authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check PgBouncer version: if version is below 1.25.1, the system is vulnerable.

Check Version:

pgbouncer --version

Verify Fix Applied:

Confirm PgBouncer version is 1.25.1 or higher and restart service to ensure patch is active.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication failures
Unexpected search_path parameters in connection logs
SQL errors during authentication phase

Network Indicators:

Connection attempts with malformed StartupMessage packets
Authentication requests from unexpected sources

SIEM Query:

source="pgbouncer.log" AND ("authentication failure" OR "search_path" OR "StartupMessage")

📊 Metadata

CVE ID: CVE-2025-12819

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-426

EPSS Score: 0.16% exploit probability (36.8th percentile)

Published: December 3, 2025

Last Updated: December 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12819, you might also want to check these: