PgBouncer sits between applications and PostgreSQL databases; crashing it severs all database connections and takes down every application that depends on it until the service is manually restarted. For organizations using PgBouncer in front of production databases — common in high-traffic SaaS, e-commerce, and financial platforms — a successful attack means full application downtime with no data access until resolved. Because no login credentials are required to trigger the crash, any attacker who can reach the PgBouncer port can cause this disruption repeatedly, making recovery without patching unreliable.
You Are Affected If
You run PgBouncer versions prior to 1.25.2 in production environments
Your PgBouncer port (default TCP 6432) is reachable from untrusted networks or the public internet
You have not yet applied the PgBouncer 1.25.2 patch or an equivalent vendor-supplied update
SCRAM-SHA-256 authentication is enabled or available as a supported method in your PgBouncer configuration
PgBouncer instances are not monitored for unexpected process crashes or service restarts
Board Talking Points
A publicly confirmed, actively exploited vulnerability in a widely used database middleware component can bring down application services with a single unauthenticated network request.
Technology teams should upgrade all affected PgBouncer instances to version 1.25.2 within 24-48 hours, prioritizing any instances with external network exposure.
Without patching, adversaries can repeatedly crash database connectivity at will, causing sustained application outages that cannot be reliably resolved through restarts alone.
PCI-DSS — if PgBouncer pools connections to databases storing payment card data, a denial-of-service attack against it constitutes an availability failure for in-scope cardholder data systems (Requirement 6.3, 12.3)
HIPAA — if PgBouncer pools connections to databases containing electronic protected health information, service disruption may constitute a breach of availability safeguards under the Security Rule (§164.312(a)(2)(ii))
