CVE-2025-2291 Information

Description

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value which allows an attacker to log in with an already expired password

Reference

https://www.pgbouncer.org/changelog.html#pgbouncer-124x