PgBouncer 1.25.2 has been released. This release fixes several security issues and contains a few minor documentation corrections.

See the full details in the changelog.

Download here: pgbouncer-1.25.2.tar.gz (sha256)

PgBouncer 1.25.1 has been released. This release fixes CVE-2025-12819: Before this release it was possible for an unauthenticated attacker to execute arbitrary SQL during authentication by providing a malicious search_path parameter in the StartupMessage. Systems that have ALL the following configurations are vulnerable:

1. track_extra_parameters includes search_path (non-default configuration, probably only configured in setups involving Citus or PostgreSQL 18)
2. auth_user is set to a non-empty string (non-default configuration)
3. auth_query is configured without fully-qualified object names (default configuration, the < operator is not schema q

This release also fixes a bunch of bugs/issues introduced in the recent 1.25.0 release.

See the full details in the changelog.

Download here: pgbouncer-1.25.1.tar.gz (sha256)

PgBouncer 1.25.0 has been released. This release contains a number of new features along with a variety of improvements and bug fixes. Highlights are:

• Support for LDAP authentication.
• Support for client-side “direct” TLS connections.
• Reporting connected but idle client connections as idle instead of active.
• Greatly improving performance of SCRAM authentication.

See the full details in the changelog.

Download here: pgbouncer-1.25.0.tar.gz (sha256)