Listen to this Post
How the CVE works:
PgBouncer, a PostgreSQL connection pooler, versions prior to 1.25.1, contain an untrusted search path vulnerability in the auth_query connection handler. During client authentication, the StartupMessage from a client can include a search_path parameter. This parameter is not properly validated or sanitized before use in the auth_query SQL execution. An unauthenticated attacker can craft a malicious StartupMessage with a manipulated search_path parameter set to a schema under their control. When PgBouncer processes this message, the auth_query handler uses the attacker-provided search_path while executing authentication SQL queries. This allows the attacker to influence the search path for database object resolution. By placing malicious SQL functions or objects in the controlled schema, the attacker can trick the auth_query into executing arbitrary SQL code during authentication. This vulnerability bypasses authentication safeguards, enabling unauthorized SQL execution without valid credentials. The issue stems from the failure to restrict the search_path input from unauthenticated clients in the authentication flow.
Platform: PgBouncer
Version: before 1.25.1
Vulnerability: untrusted search path
Severity: Critical
Date: 12/03/2025
Prediction: Patch 1.25.1
What Undercode Say:
Analytics:
Check PgBouncer version
pgbouncer –version
Review auth_query config
grep auth_query pgbouncer.ini
Test connection (conceptual)
nc -vz $HOST 6432
How Exploit:
Craft malicious StartupMessage.
Inject search_path parameter.
Execute arbitrary SQL.
Protection from this CVE:
Update to 1.25.1.
Restrict database search_path.
Secure auth_query configuration.
Impact:
Unauthenticated SQL execution.
Data breach risk.
Privilege escalation possible.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
