PgBouncer 1.25.1 has been released. This release fixes CVE-2025-12819: Before this release it was possible for an unauthenticated attacker to execute arbitrary SQL during authentication by providing a malicious search_path parameter in the StartupMessage. Systems that have ALL the following configurations are vulnerable: track_extra_parameters includes search_path (non-default configuration, probably only configured in setups involving Citus or PostgreSQL 18) auth_user is set to a non-empty string (non-default configuration) auth_query is configured without fully-qualified object names (default configuration, the < operator is not schema q This release also fixes a bunch of bugs/issues introduced in the recent 1.25.0 release. See the full details in the changelog . Download here: pgbouncer-1.25.1.tar.gz ( sha256 )