CVE-2025-2291: 
CBL Mariner vulnerability analysis and mitigation

CVE-2025-2291 is a security vulnerability in PgBouncer affecting versions prior to 1.24.1, discovered and disclosed on April 16, 2025. The vulnerability allows expired passwords to be used for authentication when PgBouncer is used as a transparent proxy in front of PostgreSQL. This occurs because PgBouncer's auth_query functionality did not take into account PostgreSQL's VALID UNTIL value when querying for password hashes (PgBouncer Changelog).

The vulnerability stems from a flaw in PgBouncer's authentication mechanism where the auth_query function fails to consider the VALID UNTIL timestamp when validating user passwords. This oversight allows authentication attempts to succeed even when the associated password has expired in the PostgreSQL backend. The issue has been assigned a CVSS v3.1 score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating potential for high impact on confidentiality, integrity, and availability (NVD Database).

The vulnerability enables attackers to authenticate using expired passwords when PgBouncer is configured as a transparent proxy for PostgreSQL. This bypasses an important security control and could allow unauthorized access to database resources even after credentials have been explicitly expired by administrators (PgBouncer Changelog).

The issue has been fixed in PgBouncer version 1.24.1. Organizations can either upgrade to this version or modify their custom authquery to include VALID UNTIL checks if using an older version. The default authquery has been updated in version 1.24.1 to properly consider the VALID UNTIL value (PgBouncer Changelog).