CVE-2025-49146
PostgreSQL pgjdbc Channel Binding Authentication Bypass
Description
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.
INFO
Published Date :
June 11, 2025, 3:15 p.m.
Last Modified :
June 12, 2025, 4:06 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
4.2
Exploitability Score :
3.9
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-49146.
| URL | Resource |
|---|---|
| https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0 | |
| https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54 |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-49146 vulnerability anywhere in the article.
-
Daily CyberSecurity
Flaw in PostgreSQL JDBC Driver (CVE-2025-49146) Exposes Database Connections to MITM Attacks!
A recently disclosed vulnerability in the PostgreSQL JDBC Driver (PgJDBC) could allow attackers to intercept database connections even when security settings are configured to prevent such attacks. Tr ... Read more
-
Daily CyberSecurity
High-Severity Flaw in HashiCorp Nomad (CVE-2025-4922) Allows Privilege Escalation
HashiCorp has disclosed a high-severity vulnerability in its workload orchestration tool, Nomad, which could allow attackers to escalate privileges by exploiting a flaw in the system’s Access Control ... Read more
The following table lists the changes that have been made to the
CVE-2025-49146 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
New CVE Received by [email protected]
Jun. 11, 2025
Action Type Old Value New Value Added Description pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Added CWE CWE-287 Added Reference https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0 Added Reference https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-49146 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-49146
weaknesses.