CVE-2025-2291 – This vulnerability in PgBouncer allows attacker... (How to Fix)

Q: What is the severity of CVE-2025-2291?

CVE-2025-2291 has a CVSS score of 8.1 (HIGH). This vulnerability in PgBouncer allows attackers to authenticate with expired passwords when using auth_query mode. The connection pooler fails to check PostgreSQL's VALID UNTIL password expiration values, bypassing password lifecycle controls. Organizations using PgBouncer with auth_query authentication are affected.

📋 TL;DR

This vulnerability in PgBouncer allows attackers to authenticate with expired passwords when using auth_query mode. The connection pooler fails to check PostgreSQL's VALID UNTIL password expiration values, bypassing password lifecycle controls. Organizations using PgBouncer with auth_query authentication are affected.

💻 Affected Systems

Products:

PgBouncer

Versions: Versions before 1.24.0

Operating Systems: All operating systems running PgBouncer

Default Config Vulnerable: ✅ No

Notes: Only affects configurations using auth_query authentication mode. Other authentication methods are not vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Pgbouncer by Pgbouncer

View all CVEs affecting Pgbouncer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized database access with expired credentials, potentially leading to data theft, privilege escalation, or lateral movement within database infrastructure.

🟠

Likely Case

Users with expired passwords maintain access beyond intended expiration, violating security policies and audit requirements.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to authentication policy violations without data compromise.

🌐 Internet-Facing: HIGH if PgBouncer is exposed to untrusted networks, as expired credentials could be exploited for unauthorized access.

🏢 Internal Only: MEDIUM as internal attackers or compromised accounts could bypass password expiration controls.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires knowledge of expired credentials. No authentication bypass - attacker must possess valid but expired password.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PgBouncer 1.24.0 and later

Vendor Advisory: https://www.pgbouncer.org/changelog.html#pgbouncer-124x

Restart Required: Yes

Instructions:

1. Download PgBouncer 1.24.0 or newer from official sources. 2. Stop PgBouncer service. 3. Install updated version. 4. Restart PgBouncer service. 5. Verify functionality.

🔧 Temporary Workarounds

Disable auth_query mode

all

Switch to alternative authentication methods like auth_file or auth_hba that don't have this vulnerability

Modify pgbouncer.ini: set auth_type = auth_file or auth_hba
Restart PgBouncer: systemctl restart pgbouncer

Enforce password rotation at application layer

all

Implement additional password expiration checks in application code

🧯 If You Can't Patch

Implement network segmentation to restrict PgBouncer access to trusted hosts only
Enable comprehensive logging and monitoring for authentication attempts with expired credentials

🔍 How to Verify

Check if Vulnerable:

Check PgBouncer version and auth_query configuration: pgbouncer --version and review pgbouncer.ini for auth_type = auth_query

Check Version:

pgbouncer --version

Verify Fix Applied:

Confirm version is 1.24.0+: pgbouncer --version | grep -E '1\.2[4-9]|1\.[3-9]'

📡 Detection & Monitoring

Log Indicators:

Authentication attempts with expired passwords in PgBouncer logs
Successful connections after password expiration dates

Network Indicators:

Database connections from unexpected sources after password rotation

SIEM Query:

source="pgbouncer.log" AND ("auth_query" OR "authentication") AND ("expired" OR "valid until")

📊 Metadata

CVE ID: CVE-2025-2291

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-324

EPSS Score: 0.3% exploit probability (53.1th percentile)

Published: April 16, 2025

Last Updated: December 8, 2025

🔗 References

https://www.pgbouncer.org/changelog.html#pgbouncer-124x Release Notes
https://lists.debian.org/debian-lts-announce/2025/05/msg00032.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2291, you might also want to check these: