SecuriTricks - CVE-2025-2506

Description

When pglogical attempts to replicate data, it does not verify it is using a replication connection, which means a user with CONNECT access to a database configured for replication can execute the pglogical command to obtain read access to replicated tables. When pglogical runs it should verify it is running on a replication connection but does not perform this check. This vulnerability was introduced in the pglogical 3.x codebase, which is proprietary to EDB. The same code base has been integrated into BDR/PGD 4 and 5. To exploit the vulnerability the attacker needs at least CONNECT permissions to a database configured for replication and must understand a number of pglogical3/BDR specific commands and be able to decode the binary protocol.

Product(s) Impacted

Vendor	Product	Versions
Edb	Pglogical Bdr	3.* 4., 5.

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	edb	pglogical	3.*	/	/	/	/	/	/	/
a	edb	bdr	4.*	/	/	/	/	/	/	/
a	edb	bdr	5.*	/	/	/	/	/	/	/

References

https://www.enterprisedb.com/docs/security/advisories/cve20252506/

CVSS Score

5.3 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: NONE
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

View Vector String

Timeline

Published: May 22, 2025, 4:15 p.m.
Last Modified: May 23, 2025, 3:55 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

20be33e2-bf35-4d13-8fad-18bd2f3e3659

CVE-2025-2506