PgBouncer 1.25.1 has been released. This release fixes CVE-2025-12819: Before this release it was possible for an unauthenticated attacker to execute arbitrary SQL during authentication by providing a malicious search_path parameter in the StartupMessage. Systems that have ALL the following configurations are vulnerable:
track_extra_parameters includes search_path (non-default configuration, probably only configured in setups involving Citus or PostgreSQL 18)auth_user is set to a non-empty string (non-default configuration)auth_query is configured without fully-qualified object names (default configuration, the < operator is not schema qThis release also fixes a bunch of bugs/issues introduced in the recent 1.25.0 release.
See the full details in the changelog.
Download here: pgbouncer-1.25.1.tar.gz (sha256)