Thread: PgBouncer 1.24.1 released - Fixes CVE-2025-2291

PgBouncer 1.24.1 released - Fixes CVE-2025-2291

From

PgBouncer via PostgreSQL Announce

Date:

21 April, 16:48:03

PgBouncer 1.24.1 released - Fixes CVE-2025-2291

PgBouncer 1.24.1 has been released. This release fixes CVE-2025-2291, which could allow an attacker to bypass Postgres its password expiry. Such a password expiry would have been set up in Postgres using the VALID UNTIL clause. This is a security issue that affects all versions of PgBouncer. If you use both VALID UNTIL and auth_user then you should upgrade, or change the auth_query in your config file to the new auth_query that is used by default in this release. If you are using a custom auth_query then you should update it be similar to the new default auth_query in this release.

This release also fixes PAM authentication by reverting support for pam in the HBA file. PAM authentication was accidentally broken in 1.24.0.

See https://www.pgbouncer.org/2025/04/pgbouncer-1-24-1 for more information, the detailed changelog, and download links.

PgBouncer is a lightweight connection pooler for PostgreSQL.

This email was sent to you from PgBouncer. It was delivered on their behalf by the PostgreSQL project. Any questions about the content of the message should be sent to PgBouncer.

You were sent this email as a subscriber of the pgsql-announce mailinglist, for for one of the content tags Related Open Source or Security. To unsubscribe from further emails, or change which emails you want to receive, please click the personal unsubscribe link that you can find in the headers of this email, or visit https://lists.postgresql.org/unsubscribe/.