VYPR
High severityNVD Advisory· Published Jun 11, 2025· Updated Jun 11, 2025

pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration

CVE-2025-49146

Description

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.postgresql:postgresqlMaven
>= 42.7.4, < 42.7.742.7.7

Affected products

34

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.