PgBouncer 1.25.1 has been released. This release fixes CVE-2025-12819: Before this release it was possible for an unauthenticated attacker to execute arbitrary SQL during authentication by providing a malicious search_path parameter in the StartupMessage. Systems that have ALL the following configurations are vulnerable:
1. `track_extra_parameters` includes search_path (non-default configuration, probably only configured in setups involving Citus or PostgreSQL 18) 2. `auth_user` is set to a non-empty string (non-default configuration) 3. `auth_query` is configured without fully-qualified object names (default configuration, the < operator is not schema q This release also fixes a bunch of bugs/issues introduced in the recent 1.25.0 release. See the full details in the [changelog](https://pgbouncer.org/changelog.html#pgbouncer-125x). Download here: [pgbouncer-1.25.1.tar.gz](https://pgbouncer.org/downloads/files/1.25.1/pgbouncer-1.25.1.tar.gz) ([sha256](https://pgbouncer.org/downloads/files/1.25.1/pgbouncer-1.25.1.tar.gz.sha256))
