+
Skip to content

Upgrade org.postgresql:postgresql to version 42.7.7 to address CVE-2025-49146 #40553

New issue
New issue
Closed
Closed
Upgrade org.postgresql:postgresql to version 42.7.7 to address CVE-2025-49146#40553
Assignees
mabartos
Labels
area/dependencieskind/bugCategorizes a PR related to a bugkind/cveIssues identified as CVEs on third-party dependencies, or issues which Keycloak is not affectedpriority/importantMust be worked on very soonrelease/26.2.7release/26.3.2status/blocked-externalUsed for marking Issues/PRs as blocked by some external factors like a bug in Quarkusteam/cloud-native
@abstractj

Description

@abstractj
abstractj
opened on Jun 17, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

dependencies

Describe the bug

A security vulnerability has been detected by Trivy in the project's dependencies.

Package: org.postgresql:postgresql

Installed Version: 42.7.5

Vulnerable Versions: >= 42.7.4, < 42.7.7

Fixed Version: 42.7.7

CVE ID: CVE-2025-49146

Severity: HIGH

Description

The PostgreSQL JDBC driver (pgjdbc), in versions 42.7.4 through 42.7.6, contains a high-severity vulnerability.

When the driver is configured with channelBinding=required (the default is prefer), it incorrectly permits connections using authentication methods that do not support channel binding (e.g., password, MD5, GSS, SSPI). This flaw could allow a Man-in-the-Middle (MITM) attacker to intercept and compromise connections that are intended to be protected by channel binding.

Action Required
To mitigate this vulnerability, the org.postgresql:postgresql dependency should be upgraded to version 42.7.7 or later.

<!-- Example for Maven -->
<dependency>
  <groupId>org.postgresql</groupId>
  <artifactId>postgresql</artifactId>
  <version>42.7.7</version>
</dependency>

Version

26.2.5

Regression

  • The issue is a regression

Expected behavior

No CVEs reported for PostgreSQL.

Actual behavior

CVEs reported for PostgreSQL.

How to Reproduce?

Check scanner alerts.

Anything else?

EDIT: Will be solved by the #40591

Remediation

(edited by @mabartos)

Do not use channelBinding=required in your db-url-properties, or db-url for PostgreSQL JDBC driver URL. The default value is channelBinding=preferred, so Keycloak is not affected by default.

If you're already using the channelBinding=required, it is recommended to use sslMode=verify-full (and ensure TLS) as using authentication on a non-secure transport is not recommended (this is where the MITM attack comes from). Note that this works around the issue (and lets you use "required" or "preferred") - (recommended by @cescoffier)

Metadata

Metadata

Assignees

Labels

area/dependencieskind/bugCategorizes a PR related to a bugkind/cveIssues identified as CVEs on third-party dependencies, or issues which Keycloak is not affectedpriority/importantMust be worked on very soonrelease/26.2.7release/26.3.2status/blocked-externalUsed for marking Issues/PRs as blocked by some external factors like a bug in Quarkusteam/cloud-native

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载