CVE-2025-49146
📋 TL;DR
The pgjdbc PostgreSQL JDBC driver incorrectly allows connections with authentication methods that don't support channel binding when channel binding is set to 'required'. This allows man-in-the-middle attackers to intercept connections users believed were protected. Affects pgjdbc versions 42.7.4 through 42.7.6 when channel binding is configured as required.
💻 Affected Systems
- pgjdbc PostgreSQL JDBC Driver
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept sensitive database traffic including credentials and data, potentially leading to full database compromise and data exfiltration.
Likely Case
Man-in-the-middle attackers downgrade channel binding protection and intercept database communications in vulnerable configurations.
If Mitigated
With proper network segmentation and TLS enforcement, impact is limited to potential authentication bypass in specific configurations.
🎯 Exploit Status
Requires man-in-the-middle position and knowledge of vulnerable configuration. Exploitation depends on network access to intercept JDBC connections.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 42.7.7
Vendor Advisory: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54
Restart Required: Yes
Instructions:
1. Update pgjdbc dependency to version 42.7.7 or later. 2. Update Maven/Gradle/SBT configuration to use fixed version. 3. Rebuild and redeploy affected applications. 4. Restart application servers using the updated driver.
🔧 Temporary Workarounds
Change channel binding configuration
allSet channel binding to 'prefer' (default) or 'disable' instead of 'required'
In JDBC URL: jdbc:postgresql://host/db?channelBinding=prefer
Or in connection properties: channelBinding=prefer
Enforce SCRAM-SHA-256 authentication
allConfigure PostgreSQL to require SCRAM-SHA-256 which supports channel binding
In postgresql.conf: password_encryption = scram-sha-256
ALTER SYSTEM SET password_encryption = 'scram-sha-256';
SELECT pg_reload_conf();
🧯 If You Can't Patch
- Enforce TLS 1.2+ with certificate validation on all database connections
- Implement network segmentation and restrict database access to trusted networks only
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for pgjdbc version 42.7.4-42.7.6 and verify if channel binding is set to 'required' in connection configuration.Check Version:
Check Maven: mvn dependency:tree | grep postgresql, Check Gradle: ./gradlew dependencies | grep postgresql, Or check JAR manifest: java -jar your-app.jar --versionVerify Fix Applied:
Confirm pgjdbc version is 42.7.7 or later in dependency files and verify connections use proper channel binding enforcement.📡 Detection & Monitoring
Log Indicators:
- Failed channel binding attempts in PostgreSQL logs
- Authentication method downgrades in application logs
- Unexpected authentication method usage
Network Indicators:
- Unencrypted or downgraded database protocol traffic
- MITM patterns in network traffic
SIEM Query:
source="postgresql.log" AND ("channel binding" OR "authentication method") AND ("failed" OR "downgrade")