CVE-2025-49146 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-49146 PUBLISHED

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

EPSS 0.01% · 1.8th percentile

Risk Scores

EPSS Score

0.01%

1.8th percentile

Affected Products

Vendor	Product	Versions
Bitnami	postgresql-jdbc-driver	42.7.4
Bitnami	postgresql-jdbc-driver	42.7.4

Timeline

Jan 21, 1970 Security Advisory
Jun 11, 2025 CVE Published
Jun 12, 2025 EPSS Score
Jun 15, 2025 Coalition ESS Score
Jun 22, 2025 EPSS Score
Jul 2, 2025 EPSS Score
Jul 12, 2025 EPSS Score
Jul 21, 2025 EPSS Score
Jul 31, 2025 EPSS Score
Aug 10, 2025 EPSS Score
Aug 20, 2025 EPSS Score
Aug 22, 2025 Coalition ESS Score

References

Open in Interactive Console →