PgBouncer 1.25.1 has been released. This release fixes CVE-2025-12819: Before this release it was possible for an unauthenticated attacker to execute arbitrary SQL during authentication by providing a malicious search_path parameter in the StartupMessage. Systems that have ALL the following configurations are vulnerable:

1. track_extra_parameters includes search_path (non-default configuration, probably only configured in setups involving Citus or PostgreSQL 18)
2. auth_user is set to a non-empty string (non-default configuration)
3. auth_query is configured without fully-qualified object names (default configuration, the < operator is not schema q

This release also fixes a bunch of bugs/issues introduced in the recent 1.25.0 release.

See the full details in the changelog.

Download here: pgbouncer-1.25.1.tar.gz (sha256)