CVE-2025-49146: 
Java vulnerability analysis and mitigation

The PostgreSQL JDBC Driver (pgjdbc) versions 42.7.4 through 42.7.6 contain a security vulnerability (CVE-2025-49146) discovered in June 2025. The flaw occurs when the driver is configured with channel binding set to 'required' (default value is 'prefer'), where it incorrectly allows connections to proceed with authentication methods that do not support channel binding, such as password, MD5, GSS, or SSPI authentication (NVD, GitHub Advisory).

The vulnerability stems from a mishandling of the channelBinding=require configuration in the PostgreSQL JDBC driver. The flaw specifically occurs when the driver fails to properly enforce channel binding requirements for non-SASL authentication methods. The vulnerability has been assigned a CVSS v3.1 score of 8.2 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. The issue is classified as CWE-287 (Improper Authentication) (GitHub Advisory, NVD).

The vulnerability could allow a man-in-the-middle attacker to intercept database connections that users believed were protected by channel binding requirements. This creates a false sense of security where connections thought to be secure could be compromised, potentially exposing sensitive database communications to unauthorized interception (Security Online, GitHub Advisory).

The vulnerability has been patched in PostgreSQL JDBC Driver version 42.7.7. As a workaround, users can configure sslMode=verify-full to prevent MITM attacks. This setting validates the server's certificate and hostname, offering strong defense against man-in-the-middle attacks even when channel binding fails (Security Online, GitHub Advisory).