CVE-2025-46801

NameCVE-2025-46801
DescriptionPgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1106119

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pgpool2 (PTS)bullseye4.1.4-3vulnerable
bullseye (security)4.1.4-3+deb11u1vulnerable
bookworm4.3.5-1vulnerable
trixie4.6.0-2vulnerable
sid4.6.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pgpool2source(unstable)4.6.1-11106119

Notes

https://www.pgpool.net/mediawiki/index.php/Main_Page#Pgpool-II_4.6.1.2C_4.5.7.2C_4.4.12.2C_4.3.15_and_4.2.22_officially_released_.282025.2F05.2F15.29_2
Fixed by: https://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=d8e2ace8737f64eee2bf5ca74f6294835fb75ccb (V4_6_1)
Search for package or bug name: Reporting problems