CVE-2025-12819

High

Published: 03 December 2025

Published

03 December 2025

Modified

27 December 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 37.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like the untrusted search_path in PgBouncer's auth_query handler, directly enabling patching to version 1.25.1.

SI-10 Information Input Validation good match

prevent

Mandates validation of information inputs such as the malicious search_path parameter in the StartupMessage to block arbitrary SQL execution during authentication.

SI-4 System Monitoring partial match

detect

Provides system monitoring to identify ongoing exploitation of the authentication process through anomalous connection attempts or SQL execution in PgBouncer.

Security SummaryAI

CVE-2025-12819 is an untrusted search path vulnerability (CWE-426) in the auth_query connection handler of PgBouncer versions before 1.25.1. This flaw enables an unauthenticated attacker to execute arbitrary SQL during the authentication process by supplying a malicious search_path parameter within the StartupMessage. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability despite requiring high attack complexity and low privileges.

An unauthenticated attacker can exploit this vulnerability over the network during connection authentication to PgBouncer. By crafting a StartupMessage with a manipulated search_path, the attacker tricks the handler into executing arbitrary SQL commands, potentially compromising the underlying PostgreSQL database connections pooled by PgBouncer.

Mitigation is addressed in PgBouncer 1.25.1, as detailed in the project's changelog at https://www.pgbouncer.org/changelog.html#pgbouncer-125x. Debian LTS users should refer to the announcement at https://lists.debian.org/debian-lts-announce/2025/12/msg00033.html for patched packages and additional guidance.

Details

CWE(s): CWE-426

Affected Products

pgbouncer

≤ 1.25.1

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote attackers to execute arbitrary SQL commands during PgBouncer authentication by manipulating the search_path parameter, directly facilitating exploitation of a remote service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.pgbouncer.org/changelog.html#pgbouncer-125x
Release Notes · f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
https://lists.debian.org/debian-lts-announce/2025/12/msg00033.html
af854a3a-2127-422b-91ae-364da2661108