CVE-2025-12819 - Arbitrary SQL execution in pgBouncer

First Published: 2025/12/15

Last Updated: 2025/12/15

Important: This is an assessment of the impact of CVE-2025-12819 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.

Summary

Untrusted search path in auth_query connection handler in pgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

Vulnerability details

CVE-ID: CVE-2025-12819

CVSS Base Score: 7.5

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products and versions

EDB pgBouncer

• All versions of EDB pgBouncer prior to 1.25.1.

EDB Postgres® AI for CloudNativePG™

• All community and EDB Postgres® AI for CloudNativePG™ versions prior to 1.28.0, 1.27.2, 1.26.3, 1.25.5 and older.

EDB Cloud Service (formerly Big Animal)

• All EDB Cloud Service versions before the 15th of December 2025 release.

Remediation/fixes

EDB pgBouncer

EDB Postgres® AI for CloudNativePG™

The versions above are the one using EDB pgBouncer 1.25.1 by default.
Other versions can be configured to use EDB pgBouncer 1.25.1 to mitigate the vulnerability.

EDB Cloud Service (formerly Big Animal)

References

• CVSS Calculator v3.1

Related information

• CVE details
• EnterpriseDB
• EDB Blogs link