CVE-2025-2291

Summary

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password

Affected Software

VendorProductVersion RangeStatus
n/aPgBouncer0 < 1.24.1affected

Weaknesses

  • CWE-324: Use of a Key Past its Expiration Date

Workarounds

Configure a custom auth_query containing the new default auth_query introduced in PgBouncer 1.24.1, this auth_query takes expiry into account

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References