CVE-2025-12819

High

Published: 03 December 2025

Published

03 December 2025

Modified

27 December 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 39.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12819 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Pgbouncer Pgbouncer. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 39.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like the untrusted search_path in PgBouncer's auth_query handler, directly enabling patching to version 1.25.1.

SI-10 Information Input Validation good match

prevent

Mandates validation of information inputs such as the malicious search_path parameter in the StartupMessage to block arbitrary SQL execution during authentication.

SI-4 System Monitoring partial match

detect

Provides system monitoring to identify ongoing exploitation of the authentication process through anomalous connection attempts or SQL execution in PgBouncer.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote attackers to execute arbitrary SQL commands during PgBouncer authentication by manipulating the search_path parameter, directly facilitating exploitation of a remote service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

Deeper analysisAI

CVE-2025-12819 is an untrusted search path vulnerability (CWE-426) in the auth_query connection handler of PgBouncer versions before 1.25.1. This flaw enables an unauthenticated attacker to execute arbitrary SQL during the authentication process by supplying a malicious search_path parameter within the StartupMessage. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability despite requiring high attack complexity and low privileges.

An unauthenticated attacker can exploit this vulnerability over the network during connection authentication to PgBouncer. By crafting a StartupMessage with a manipulated search_path, the attacker tricks the handler into executing arbitrary SQL commands, potentially compromising the underlying PostgreSQL database connections pooled by PgBouncer.

Mitigation is addressed in PgBouncer 1.25.1, as detailed in the project's changelog at https://www.pgbouncer.org/changelog.html#pgbouncer-125x. Debian LTS users should refer to the announcement at https://lists.debian.org/debian-lts-announce/2025/12/msg00033.html for patched packages and additional guidance.