Weak password requirements in pgbouncer - CVE-2025-2291
Published: April 17, 2025
Vulnerability identifier: #VU107593
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-2291
CWE-ID: CWE-521
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PgBouncer
Affected software:
pgbouncer
pgbouncer
Detailed vulnerability description
The vulnerability allows an attacker to gain unauthorized access to the application.
The vulnerability exists due to password can be used past its expiration as auth_query is not taking into account Postgre's VALID UNTIL value. An attacker with knowledge of an expired password can successfully login to the application.
How to mitigate CVE-2025-2291
Install updates from vendor's website.