PgBouncer 1.24.1 has been released. This release fixes CVE-2025-2291, which
could allow an attacker to bypass Postgres its password expiry. Such a password
expiry would have been set up in Postgres using the VALID UNTIL clause. This
is a security issue that affects all versions of PgBouncer. If you use both
VALID UNTIL and auth_user then you should upgrade, or change the
auth_query in your config file to the new auth_query that is used by
default in this release. If you are using a custom auth_query then you should
update it be similar to the new default auth_query in this release.
This release also fixes PAM authentication by reverting support for pam in
the HBA file. PAM authentication was accidentally broken in 1.24.0.
See https://www.pgbouncer.org/2025/04/pgbouncer-1-24-1 for more information, the detailed changelog, and download links.
PgBouncer is a lightweight connection pooler for PostgreSQL.