CVE-2025-2506

MEDIUM EPSS 17.9%
Published May 22, 20251y ago · Modified Jun 17, 20262w ago
5.3 CVSS 3.1
Medium
Find Similar
Published May 22, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

When pglogical attempts to replicate data, it does not verify it is using a replication connection, which means a user with CONNECT access to a database configured for replication can execute the pglogical command to obtain read access to replicated tables. When pglogical runs it should verify it is running on a replication connection but does not perform this check. This vulnerability was introduced in the pglogical 3.x codebase, which is proprietary to EDB. The same code base has been integrated into BDR/PGD 4 and 5. To exploit the vulnerability the attacker needs at least CONNECT permissions to a database configured for replication and must understand a number of pglogical3/BDR specific commands and be able to decode the binary protocol.

CVSS Details

Base Score
5.3
Exploitability
1.6
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
17.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-862 Missing Authorization Authorization

References 1

  • enterprisedb.com https://www.enterprisedb.com/docs/security/advisories/cve20252506/

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.