CVE-2025-2506 - pglogical 3.x, BDR/PGD 4.x and BDR/PGD 5.x allow unauthorized reads

First Published: 2025/05/22

Summary

When pglogical attempts to replicate data, it does not verify it is using a replication connection, which means a user with CONNECT access to a database configured for replication can execute the pglogical command to obtain read access to replicated tables. When pglogical runs it should verify it is running on a replication connection but does not perform this check. This vulnerability was introduced in the pglogical 3.x codebase, which is proprietary to EDB. The same code base has been integrated into BDR/PGD 4 and 5.

To exploit the vulnerability the attacker needs at least CONNECT permissions to a database configured for replication and must understand a number of pglogical3/BDR specific commands and be able to decode the binary protocol.

Vulnerability details

CVE-ID: CVE-2025-2506

CVSS Base Score: 5.3

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products and versions

• All versions of pglogical 3.x prior to 3.7.26-ELS
• All versions of BDR/PGD 4.x prior to 4.3.8-ELS
• All versions of BDR/PGD 5.x prior to 5.8.0

Remediation/fixes

Impacted users must upgrade to a fixed version pglogical or BDR/PGD. Versions with fixes will be made available in the next release of pglogical and BDR/PGD.

References

• CVSS Calculator v3.1

Related information

• EnterpriseDB
• PostgreSQL
• pglogical 3
• BDR 4
• BDR 5

Acknowledgement

Source: EnterpriseDB

Change history

• 22 May 2025: Original Copy Published

Disclaimer

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.