CVE-2025-49146
BaseFortify
Publication date: 2025-06-11
Last updated on: 2025-10-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| postgresql | postgresql_jdbc_driver | From 42.7.4 (inc) to 42.7.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49146 is a vulnerability in the PostgreSQL JDBC driver versions 42.7.4 to 42.7.6 where, if the driver is configured with channel binding set to 'require', it incorrectly allows connections to proceed using authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI). This flaw lets a man-in-the-middle attacker intercept connections that users expect to be protected by channel binding, compromising confidentiality. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow a man-in-the-middle attacker to intercept and potentially read sensitive data transmitted over connections that users believe are protected by channel binding. Because the driver permits fallback to insecure authentication methods despite channel binding being required, attackers can exploit this to compromise confidentiality without needing privileges or user interaction. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying PostgreSQL JDBC driver versions between 42.7.4 and 42.7.6 in use, especially if the driver is configured with channelBinding set to "require". Network monitoring could look for authentication methods used in connections; if non-SASL methods like password, MD5, GSS, or SSPI authentication are allowed despite channelBinding=require, this indicates the vulnerability. While no specific commands are provided, checking the driver version and configuration in your application or connection logs is recommended. Additionally, monitoring for connections that do not use SCRAM authentication over SSL when channel binding is required can help detect vulnerable setups. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the PostgreSQL JDBC driver to version 42.7.7 or later, where the vulnerability is fixed. If upgrading is not immediately possible, configure the driver with sslMode=verify-full to prevent man-in-the-middle attacks as a workaround. Also, ensure that channelBinding is set appropriately and that only SASL-based authentication methods (such as SCRAM over SSL) are allowed, preventing fallback to insecure authentication methods. [1, 2]