PgBouncer 1.24.1 has been released. This release fixes CVE-2025-2291, which could allow an attacker to bypass Postgres its password expiry. Such a password expiry would have been set up in Postgres using the `VALID UNTIL` clause. This is a security issue that affects all versions of PgBouncer. If you use both `VALID UNTIL` and `auth_user` then you should upgrade, or change the `auth_query` in your config file to the new `auth_query` that is used by default in this release. If you are using a custom `auth_query` then you should update it be similar to the new default `auth_query` in this release.
This release also fixes PAM authentication by reverting support for `pam` in the HBA file. PAM authentication was accidentally broken in 1.24.0. See [https://www.pgbouncer.org/2025/04/pgbouncer-1-24-1](https://www.pgbouncer.org/2025/04/pgbouncer-1-24-1) for more information, the detailed changelog, and download links. PgBouncer is a lightweight connection pooler for PostgreSQL.
