Summary
Security updates have been released to address a “high” severity vulnerability in PgBouncer, a lightweight connection pooler for PostgreSQL designed to efficiently handle database connections. This vulnerability, if exploited, could allow a malicious user to bypass security restrictions related to password expiration in PostgreSQL.
Risk
Estimate of the impact of the vulnerability on the reference community: Medium (64.23)
Type
- Authentication Bypass
Affected products and/or versions
PgBouncer, versions prior to 1.24.1
Mitigation actions
It is recommended to update the individual products following the indications reported in the security bulletin available in the References section.
References
https://www.pgbouncer.org/2025/04/pgbouncer-1-24-1
https://www.postgresql.org/about/news/pgbouncer-1241-released-fixes-cve-2025-2291-3059/
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
