CVE-2025-46801

NameCVE-2025-46801
DescriptionPgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5974-1
Debian Bugs1106119

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pgpool2 (PTS)bullseye4.1.4-3vulnerable
bullseye (security)4.1.4-3+deb11u1vulnerable
bookworm, bookworm (security)4.3.5-1+deb12u1fixed
trixie4.6.1-2fixed
forky, sid4.6.3-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pgpool2sourcebookworm4.3.5-1+deb12u1DSA-5974-1
pgpool2source(unstable)4.6.1-11106119

Notes

https://www.pgpool.net/mediawiki/index.php/Main_Page#Pgpool-II_4.6.1.2C_4.5.7.2C_4.4.12.2C_4.3.15_and_4.2.22_officially_released_.282025.2F05.2F15.29_2
Fixed by: https://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=d8e2ace8737f64eee2bf5ca74f6294835fb75ccb (V4_6_1)

Search for package or bug name: Reporting problems