EnterpriseDB pglogical/BDR Privilege Escalation via Unverified Replication Connection (CVE-2025-2506)

Critical Vulnerability Information Vulnerability Overview CVE-ID: CVE-2025-2506 CVSS Base Score: 5.3 CVSS Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products and Versions pglogical 3.x all versions up to 3.726-ELS BDR/PGD 4.x all versions up to 4.38-ELS BDR/PGD 5.x all versions up to 5.8.0 Vulnerability Details When pglogical attempts to replicate data, it does not verify whether it is running over a replication connection. This means that users with CONNECT privileges can execute pglogical commands to gain read access to replicated tables. pglogical should verify that it is running on a replication connection, but this check is not performed. Remediation Affected users must upgrade to a patched version of pglogical or BDR/PGD. Patched versions will be available in the next releases of pglogical and BDR/PGD. References CVSS Calculator v3.1 Related Information EnterpriseDB PostgreSQL pglogical 3 BDR 4 BDR 5 Acknowledgements Source: EnterpriseDB Change History May 22, 2025: Original copy published

Goal Reached Thanks to every supporter — we hit 100%!

EnterpriseDB pglogical/BDR Privilege Escalation via Unverified Replication Connection (CVE-2025-2506)