CVE-2025-2291 HIGH

CVE-2025-2291: PgBouncer default auth_query does not take Postgres password expiry into account

Vendor N/A
Product PgBouncer
Weakness CWE-324
Published April 16, 2025
Last update November 3, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password

Key dates

02Disclosure timeline

April 16, 2025 CVE published
November 3, 2025 Record updated