PgBouncer 1.25.1 released - Fixing a bunch of bugs before Christmas (including CVE-2025-12819)

public inbox for [email protected]  
help / color / mirror / Atom feed

From: PgBouncer via PostgreSQL Announce <[email protected]>
To: PostgreSQL Announce <[email protected]>
Subject: PgBouncer 1.25.1 released -  Fixing a bunch of bugs before Christmas (including CVE-2025-12819)
Date: Wed, 03 Dec 2025 22:17:29 +0000
Message-ID: <176480024948.2921403.17247771773846586825@wrigleys.postgresql.org> (raw)

PgBouncer 1.25.1 has been released. This release fixes CVE-2025-12819:
Before this release it was possible for an unauthenticated attacker to execute arbitrary SQL during authentication by providing a malicious search_path parameter in the StartupMessage. Systems that have ALL the following configurations are vulnerable:

1. `track_extra_parameters` includes search_path (non-default configuration, probably only configured in setups involving Citus or PostgreSQL 18)
2. `auth_user` is set to a non-empty string (non-default configuration)
3. `auth_query` is configured without fully-qualified object names (default configuration, the < operator is not schema q

This release also fixes a bunch of bugs/issues introduced in the recent 1.25.0 release.

See the full details in the [changelog](https://pgbouncer.org/changelog.html#pgbouncer-125x).

Download here:
[pgbouncer-1.25.1.tar.gz](https://pgbouncer.org/downloads/files/1.25.1/pgbouncer-1.25.1.tar.gz)
([sha256](https://pgbouncer.org/downloads/files/1.25.1/pgbouncer-1.25.1.tar.gz.sha256))

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: PgBouncer 1.25.1 released -  Fixing a bunch of bugs before Christmas (including CVE-2025-12819)
  In-Reply-To: <176480024948.2921403.17247771773846586825@wrigleys.postgresql.org>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox