Home > Vulnerability Database > CVE-2025-49146

Mend.io Vulnerability Database

CVE-2025-49146

Good to know:

Date: June 11, 2025

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

Severity Score

8.2

Related Resources (9)

Url: https://github.com/pgjdbc/pgjdbc

Url: https://datatracker.ietf.org/doc/html/rfc5802

Url: https://datatracker.ietf.org/doc/html/rfc7677

Url: https://security-tracker.debian.org/tracker/CVE-2025-49146

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-49146

Url: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54

Url: https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256

Url: https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0

Url: https://www.mend.io/vulnerability-database/CVE-2025-49146

Severity Score

8.2

Weakness Type (CWE)

Improper Authentication

CWE-287

Top Fix

Upgrade Version

Upgrade to version org.postgresql:postgresql:42.7.7;https://github.com/pgjdbc/pgjdbc.git - REL42.7.7

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-49146

Good to know:

Date: June 11, 2025

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?