CVE-2025-22248
📋 TL;DR
This vulnerability allows unauthenticated access to PostgreSQL databases in Bitnami's pgpool Docker image and postgres-ha Kubernetes chart. Attackers can exploit the default 'repmgr' user with trust-level authentication to gain database access. Organizations using these default configurations with external exposure are affected.
💻 Affected Systems
- bitnami/pgpool Docker image
- bitnami/postgres-ha Kubernetes Helm chart
📦 What is this software?
Bitnami by Broadcom
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, modification, or deletion, and potential lateral movement within the cluster.
Likely Case
Unauthorized database access leading to data exfiltration or manipulation of database contents.
If Mitigated
Limited impact with proper network segmentation and authentication controls in place.
🎯 Exploit Status
Simple authentication bypass using default credentials - no special tools required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific fixed versions
Vendor Advisory: https://github.com/bitnami/charts/security/advisories/GHSA-mx38-x658-5fwj
Restart Required: Yes
Instructions:
1. Update to patched versions of bitnami/pgpool or bitnami/postgres-ha. 2. Change PGPOOL_SR_CHECK_USER authentication from 'trust' to 'md5' or stronger. 3. Restart affected services.
🔧 Temporary Workarounds
Change repmgr authentication method
allModify PostgreSQL configuration to require password authentication for repmgr user
ALTER USER repmgr WITH PASSWORD 'strong_password';
Update pg_hba.conf to change 'trust' to 'md5' for repmgr connections
Network isolation
allRestrict network access to pgpool services
Use firewall rules to limit access to trusted IPs only
kubectl apply network policies to restrict pod communication
🧯 If You Can't Patch
- Implement strict network segmentation to isolate pgpool from untrusted networks
- Change repmgr user password and update authentication method from trust to md5 in PostgreSQL configuration
🔍 How to Verify
Check if Vulnerable:
Check if PGPOOL_SR_CHECK_USER is set to 'repmgr' and authentication method is 'trust' in pg_hba.confCheck Version:
docker images | grep bitnami/pgpool OR helm list for postgres-ha chartVerify Fix Applied:
Attempt to connect to PostgreSQL using 'psql -U repmgr -h <hostname>' without password - should fail📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts for repmgr user
- Successful connections from unexpected IPs to repmgr user
Network Indicators:
- Unusual database query patterns from repmgr user
- External connections to pgpool service on PostgreSQL port
SIEM Query:
source="postgresql" AND user="repmgr" AND (event_type="authentication_success" OR event_type="connection")