PgBouncer 1.25.1 has been released. This release fixes CVE-2025-12819: Before this release it was possible for an unauthenticated attacker to execute arbitrary SQL during authentication by providing a malicious search_path parameter in the StartupMessage. Systems that have ALL the following configurations are vulnerable:

1. track_extra_parameters includes search_path (non-default configuration, probably only configured in setups involving Citus or PostgreSQL 18)
2. auth_user is set to a non-empty string (non-default configuration)
3. auth_query is configured without fully-qualified object names (default configuration, the < operator is not schema q

This release also fixes a bunch of bugs/issues introduced in the recent 1.25.0 release.

See the full details in the changelog.

Download here: pgbouncer-1.25.1.tar.gz (sha256)

PgBouncer 1.25.0 has been released. This release contains a number of new features along with a variety of improvements and bug fixes. Highlights are:

• Support for LDAP authentication.
• Support for client-side “direct” TLS connections.
• Reporting connected but idle client connections as idle instead of active.
• Greatly improving performance of SCRAM authentication.

See the full details in the changelog.

Download here: pgbouncer-1.25.0.tar.gz (sha256)

PgBouncer 1.24.1 has been released. This release fixes CVE-2025-2291, which could allow an attacker to bypass Postgres its password expiry. Such a password expiry would have been set up in Postgres using the VALID UNTIL clause. This is a security issue that affects all versions of PgBouncer. If you use both VALID UNTIL and auth_user then you should upgrade, or change the auth_query in your config file to the new auth_query that is used by default in this release. If you are using a custom auth_query then you should update it be similar to the new default auth_query in this release.

This release also fixes PAM authentication by reverting support for pam in the HBA file. PAM authentication was accidentally broken in 1.24.0.

See the full details in the changelog.

Download here: pgbouncer-1.24.1.tar.gz (sha256)