CVE-2025-12819 — pgbouncer - security update

Description

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

How to fix CVE-2025-12819

To remediate CVE-2025-12819, upgrade the affected package to a fixed version below.

Bitnami/pgbouncer—upgrade to 1.25.1 or later
—upgrade to 1.15.0-1+deb11u2 or later
—upgrade to 1.15.0-1+deb11u2 or later

Is CVE-2025-12819 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 1.25.1
from 0, < 1.15.0-1+deb11u2
from 0, < 1.15.0-1+deb11u2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-12819
WEBlists.debian.org/debian-lts-announce/2025/12/msg00033.html
WEBnvd.nist.gov/vuln/detail/CVE-2025-12819
WEBwww.pgbouncer.org/changelog.html#pgbouncer-125x