PgBouncer 1.24.1 has been released and addresses CVE-2025-2291, which enables attackers to circumvent Postgres' password expiration policy. This matter impacts every version of PgBouncer. Users are advised to update their configuration files to align with the new default auth_query. 

PgBouncer 1.24.1 released - Fixes CVE-2025-2291

PgBouncer 1.24.1 has been released. This release fixes CVE-2025-2291, which could allow an attacker to bypass Postgres its password expiry. Such a password expiry would have been set up in Postgres using the VALID UNTIL clause. This is a security issue that affects all versions of PgBouncer. If you use both VALID UNTIL and auth_user then you should upgrade, or change the auth_query in your config file to the new auth_query that is used by default in this release. If you are using a custom auth_query then you should update it be similar to the new default auth_query in this release.

This release also fixes PAM authentication by reverting support for pam in the HBA file. PAM authentication was accidentally broken in 1.24.0.

See the full details in the  changelog.

PgBouncer 1.24.1 released - Fixes CVE-2025-2291