Flaw in PostgreSQL JDBC Driver (CVE-2025-49146) Exposes Database Connections to MITM Attacks!

A recently disclosed vulnerability in the PostgreSQL JDBC Driver (PgJDBC) could allow attackers to intercept database connections even when security settings are configured to prevent such attacks. Tracked as CVE-2025-49146, the flaw is rated 8.2 on the CVSS scale, highlighting its potential to seriously compromise secure communications in Java applications that connect to PostgreSQL databases.

“When the PostgreSQL JDBC driver is configured with channel binding set to require, the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding,” the advisory warns.

PgJDBC is an open-source Type 4 JDBC driver written in pure Java. It allows Java programs to connect to PostgreSQL databases using standard, platform-independent Java code, and communicates using PostgreSQL’s native protocol.

The vulnerability lies in the mishandling of the channelBinding=require configuration, which is designed to ensure mutual TLS-like protection by binding the transport layer (SSL/TLS) to the authentication process. However, PgJDBC versions 42.7.4 and later mistakenly allow the use of legacy authentication methods—such as password, MD5, GSS, or SSPI—even when they do not support channel binding.

This opens the door for man-in-the-middle (MITM) attacks, especially in scenarios where users believe their connection is protected but the fallback behavior silently downgrades it.

“This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements,” the advisory explains.

This flaw impacts all applications using PostgreSQL JDBC Driver v42.7.4 through v42.7.6 and has been patched in version 42.7.7.

As an immediate workaround, set the driver’s SSL mode to sslMode=verify-full, which validates the server’s certificate and hostname, offering strong defense against MITM attacks even when channel binding fails.

Related Posts:

• PostgreSQL Releases Security Update Addressing Multiple Vulnerabilities
• BIND Security Updates: Patch Your DNS Servers Now
• Researcher details MITM, RCE and LPE vulnerabilities in CyberGhost
• CVE-2024-32888 (CVSS 10): SQLi Vulnerability Discovered in Amazon Redshift JDBC Driver
• CVE-2024-1597 (CVSS 10): Critical SQL Injection Flaw in PostgreSQL JDBC Driver