Untrusted Search Path Vulnerability in PgBouncer by PgBouncer

CVE-2025-12819

What is CVE-2025-12819?

CVE-2025-12819 is a notable security vulnerability found in PgBouncer, a popular connection pooling utility for PostgreSQL databases. This vulnerability arises from an untrusted search path in the auth_query connection handler present in versions prior to 1.25.1. Due to this flaw, an unauthenticated attacker can potentially execute arbitrary SQL commands during the authentication process by exploiting a malicious search_path parameter in the StartupMessage. This means that attackers could manipulate database queries in a way that could lead to unauthorized data access or modification, jeopardizing the integrity and confidentiality of sensitive organizational data.

Potential impact of CVE-2025-12819

1. Unauthorized Data Access: The vulnerability can allow attackers to craft requests that may enable them to access confidential database information without proper authentication, resulting in significant data exposure.

2. Data Manipulation: By executing arbitrary SQL, attackers could alter or delete data within the database. This could lead to data corruption, loss, or unwanted modifications, which can severely disrupt business operations.

3. Increased Attack Surface: The existence of this vulnerability can open the door for further exploitation by threat actors, potentially allowing them to establish footholds in vulnerable systems, which may enable subsequent attacks or the deployment of malware.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References