CVE-2025-12819 Overview
CVE-2025-12819 is an untrusted search path vulnerability in the auth_query connection handler of PgBouncer before version 1.25.1. The flaw allows an unauthenticated attacker to execute arbitrary SQL during authentication by supplying a malicious search_path parameter in the PostgreSQL StartupMessage. Because PgBouncer is widely deployed as a connection pooler in front of PostgreSQL, exploitation can compromise the confidentiality, integrity, and availability of backend databases. The vulnerability is tracked under CWE-426: Untrusted Search Path.
Critical Impact
Unauthenticated attackers can inject and execute arbitrary SQL during the authentication phase, potentially leading to data theft, privilege escalation within PostgreSQL, or full database compromise.
Affected Products
- PgBouncer versions prior to 1.25.1
- Deployments using the auth_query configuration directive for authentication
- Debian LTS packages of PgBouncer (see Debian LTS advisory)
Discovery Timeline
- 2025-12-03 - CVE-2025-12819 published to the National Vulnerability Database (NVD)
- 2025-12-27 - Last updated in NVD database
Technical Details for CVE-2025-12819
Vulnerability Analysis
The vulnerability resides in how PgBouncer processes client-supplied parameters during the PostgreSQL connection handshake. PgBouncer accepts a StartupMessage from the client, which can include arbitrary runtime parameters such as search_path. When PgBouncer is configured to use auth_query to verify credentials against the backend PostgreSQL database, it forwards or applies the attacker-controlled search_path before executing the authentication query.
PostgreSQL resolves unqualified object names using the active search_path. An attacker who controls this value can prepend a malicious schema, causing the auth_query to invoke attacker-defined functions or tables instead of the intended catalog objects. Because this occurs prior to authentication completing, the attacker does not require valid credentials to trigger the SQL execution.
Root Cause
The root cause is the failure to sanitize or override the search_path parameter received in the StartupMessage before executing auth_query. PgBouncer trusted a client-controlled value to govern schema resolution in a privileged authentication context, which is the classic untrusted search path weakness described in CWE-426.
Attack Vector
The attack is network-based and requires no prior authentication. An attacker connects to the PgBouncer listener and sends a crafted StartupMessage containing a search_path value pointing to a schema the attacker has staged, or referencing objects engineered to coerce execution of malicious SQL functions during the auth_query lookup. The high attack complexity reflects the requirement that the target environment uses auth_query and that the attacker can influence schemas reachable by the auth user.
No public proof-of-concept exploit code is available at the time of writing. Refer to the PgBouncer Changelog for 1.25.x for the upstream description of the fix.
Detection Methods for CVE-2025-12819
Indicators of Compromise
- Unexpected SET search_path or schema-qualified function calls observed in PostgreSQL logs originating from the PgBouncer auth user session.
- Creation of unfamiliar schemas, functions, or tables owned by or accessible to the PgBouncer authentication role.
- PgBouncer log entries showing StartupMessage parameters containing unusual search_path values from untrusted client IPs.
Detection Strategies
- Enable verbose PostgreSQL log_statement = 'all' on the backend used by auth_query and inspect statements run by the auth role for anomalies.
- Audit PgBouncer logs for connections originating from unexpected source addresses during authentication failures.
- Compare installed PgBouncer binary versions against 1.25.1 across all hosts to identify exposed instances.
Monitoring Recommendations
- Alert on any schema creation or function definition events executed by the PgBouncer authentication account.
- Monitor network ingress to PgBouncer ports (default 6432) from untrusted networks and rate-limit failed authentications.
- Track PostgreSQL pg_stat_activity for queries containing references to non-default schemas during authentication windows.
How to Mitigate CVE-2025-12819
Immediate Actions Required
- Upgrade PgBouncer to version 1.25.1 or later on all affected hosts immediately.
- Restrict network access to PgBouncer listeners so only trusted application hosts can connect.
- Review the privileges of the auth_query PostgreSQL role and reduce them to the minimum required to read authentication data.
Patch Information
The upstream fix is included in PgBouncer 1.25.1. Refer to the PgBouncer Changelog for 1.25.x for release notes. Debian LTS users should apply updates announced in the Debian LTS Announcement.
Workarounds
- Use auth_hba_file or auth_file based authentication instead of auth_query until patching is complete.
- Schema-qualify all object references inside any custom auth_query statement to prevent search_path from influencing resolution.
- Set an explicit, restrictive search_path for the authentication role at the PostgreSQL level using ALTER ROLE ... SET search_path = pg_catalog, public.
# Configuration example: harden the auth role search_path in PostgreSQL
ALTER ROLE pgbouncer_auth_user SET search_path = pg_catalog;
# Verify PgBouncer version after upgrade
pgbouncer --version # should report 1.25.1 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

