PgBouncer Untrusted Search Path Vulnerability in auth_query Connection Handler Allowing Arbitrary SQL Execution

A vulnerability exists in PgBouncer versions prior to 1.25.1, specifically within the auth_query connection handler. This vulnerability allows an unauthenticated attacker to execute arbitrary SQL during the authentication process by injecting a malicious search_path parameter into the StartupMessage. The issue arises from an untrusted search path that PgBouncer does not properly validate before executing SQL commands.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of SQL commands, potentially allowing attackers to manipulate the database or bypass authentication mechanisms.

Reproduction

To reproduce this vulnerability, configure PgBouncer with an auth_user set to a non-empty string and track_extra_parameters to include search_path. Then, send a StartupMessage with a crafted search_path parameter that includes malicious SQL. This will trigger the auth_query connection handler to execute the injected SQL during the authentication process.

Remediation

Users can upgrade to PgBouncer version 1.25.1 or later, where this vulnerability has been fixed.