CVE-2025-2291

EUVD-2025-11379
Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
PostgreSQLCNA
8.1 HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
Affected Products (NVD)
VendorProductVersion
pgbouncerpgbouncer
𝑥
< 1.24.1
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pgbouncer
bookworm
1.18.0-1+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
1.15.0-1+deb11u2
fixed
forky
1.25.1-1
fixed
sid
1.25.1-1
fixed
trixie
1.24.1-1+deb13u1
fixed
Common Weakness Enumeration
References
https://www.pgbouncer.org/changelog.html#pgbouncer-124x
https://lists.debian.org/debian-lts-announce/2025/05/msg00032.html