CVE-2025-49146: Authentication Bypass vulnerability in postgresql (Maven)

What is CVE-2025-49146 About?

This vulnerability in the PostgreSQL JDBC driver incorrectly allows connections to proceed with authentication methods not supporting channel binding, even when channel binding is set to `required`. This can enable man-in-the-middle attacks, undermining expected security protections. Exploitation requires an attacker to intercept network traffic.

Affected Software

org.postgresql:postgresql >42.7.4, <42.7.7

Technical Details

The vulnerability affects the PostgreSQL JDBC driver when configured with channel binding set to required (the default is prefer). Despite this strict setting, the driver incorrectly permits connections to establish using authentication methods that do not inherently support channel binding, such as password, MD5, GSS, or SSPI authentication. This misconfiguration leads to a weakened security posture, as users assume their connections are protected by channel binding's MITM prevention. A man-in-the-middle attacker can intercept these connections, as the client implicitly trusts the server without proper channel binding verification, allowing the attacker to eavesdrop on or manipulate communication while the legitimate client believes it is securely connected. The mitigation suggests configuring sslMode=verify-full to properly prevent MITM attacks, highlighting the driver's failure to enforce channel binding requirements.

What is the Impact of CVE-2025-49146?

Successful exploitation may allow attackers to conduct man-in-the-middle attacks, intercept communications, and potentially bypass authentication mechanisms.

What is the Exploitability of CVE-2025-49146?

Exploiting this vulnerability requires the target PostgreSQL JDBC driver to be configured with channel binding set to required, and the connection attempting to use an authentication method that does not support channel binding. No direct authentication to the application is necessary for the MITM attack itself, but the attacker needs to be in a position to intercept network traffic between the client and the PostgreSQL server. This is typically a remote attack, but local network access could also be sufficient. No specific privileges are required on the client or server beyond network access. The complexity is moderate, requiring an attacker to set up an effective MITM compromise. The risk is significantly increased by unawareness of the specific configuration requirements and the false sense of security provided by the 'required' channel binding setting.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2025-49146?

A Fix by Resolved Security Exists!

Learn how we backport CVE fixes to your open-source libraries effortlessly.

About the Fix from Resolved Security

The patch ensures that when channel binding is required in pgjdbc, authentication is only permitted using SCRAM (SASL) methods and only if the handshake is completed, rejecting MD5 or other authentication mechanisms. This fixes CVE-2025-49146 by preventing downgrade attacks where a server could cause the client to silently fall back to an insecure authentication method without channel binding, thus enforcing the expected security guarantees.

Available Upgrade Options

org.postgresql:postgresql
- >42.7.4, <42.7.7 → Upgrade to 42.7.7

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-49146?

Similar Vulnerabilities: CVE-2021-41379 , CVE-2022-21248 , CVE-2020-13936 , CVE-2021-42392 , CVE-2023-39325

CVE-2025-49146 Authentication Bypass vulnerability in postgresql (Maven)