Main Vulnerability Database Vulnerabilities #VU107593

#VU107593 Weak password requirements in pgbouncer - CVE-2025-2291

Published: April 17, 2025

Vulnerability identifier: #VU107593

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-2291

CWE-ID: CWE-521

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
pgbouncer

Software vendor:
PgBouncer

Description

The vulnerability allows an attacker to gain unauthorized access to the application.

The vulnerability exists due to password can be used past its expiration as auth_query is not taking into account Postgre's VALID UNTIL value. An attacker with knowledge of an expired password can successfully login to the application.

Remediation

Install updates from vendor's website.

External links

https://www.pgbouncer.org/changelog.html#pgbouncer-124x

#VU107593 Weak password requirements in pgbouncer - CVE-2025-2291

Description

Remediation

External links

Please verify you're human