Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2025-49146

Published Unknown
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2025-49146. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
0.0
/10
Not Available
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.000
probability
of exploitation in the wild

There is a 0.0% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.026
Higher than 2.6% of all CVEs

Attack Vector Metrics

Attack Vector
Not Available
Attack Complexity
Not Available
Privileges Required
Not Available
User Interaction
Not Available
Scope
Not Available

Impact Metrics

Confidentiality
Not Available
Integrity
Not Available
Availability
Not Available

Description

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

Available Exploits

No exploits available for this CVE.

Related News

PostgreSQL JDBC 42.7.7 Security update for CVE-2025-49146

The PostgreSQL JDBC team have released version 42.7.7. to address CVE-2025-49146 When the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authe…

Postgresql.org 2025-06-13 00:00
Read More

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration

Affected Products (ENISA)

pgjdbc
pgjdbc

ENISA Scoring

CVSS Score (3.1)

8.2
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score

0.020
probability

ENISA References

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54
https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0
https://datatracker.ietf.org/doc/html/rfc5802
https://datatracker.ietf.org/doc/html/rfc7677
https://github.com/pgjdbc/pgjdbc
https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256
https://nvd.nist.gov/vuln/detail/CVE-2025-49146

Data provided by ENISA EU Vulnerability Database. Last updated: June 11, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration

GHSA-hq9p-pm7w-8p54

Advisory Details

### Impact When the PostgreSQL JDBC driver is configured with channel binding set to `required` (default value is `prefer`), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. ### Patches TBD ### Workarounds Configure `sslMode=verify-full` to prevent MITM attacks. ### References * https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256 * https://datatracker.ietf.org/doc/html/rfc7677 * https://datatracker.ietf.org/doc/html/rfc5802

Affected Packages

Maven org.postgresql:postgresql
ECOSYSTEM: ≥42.7.4 <42.7.7

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

WEB https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-49146
WEB https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0
WEB https://datatracker.ietf.org/doc/html/rfc5802
WEB https://datatracker.ietf.org/doc/html/rfc7677
PACKAGE https://github.com/pgjdbc/pgjdbc
WEB https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256

Advisory provided by GitHub Security Advisory Database. Published: June 11, 2025, Modified: June 11, 2025

Published: Unknown
Last Modified: Unknown
Copied to clipboard!