CVE-2025-22248: Unauthenticated Access via Default Pgpool Configuration in Bitnami PostgreSQL Deployments

Critical Default Configuration Vulnerability in Bitnami Pgpool and Postgres-HA

On May 13, 2025, a critical vulnerability identified as CVE-2025-22248 was disclosed, affecting Bitnami’s pgpool Docker image and the bitnami/postgres-ha Kubernetes Helm chart. This flaw permits unauthenticated access to PostgreSQL databases due to insecure default user settings.

Understanding the Vulnerability

The issue stems from the inclusion of a user account named repmgr, configured by default without authentication controls. This account is intended for internal streaming replication checks by Pgpool, controlled via the PGPOOL_SR_CHECK_USER setting.

However, in affected configurations, this user is set to a trust level that does not require authentication. If Pgpool is exposed to external networks, an attacker could exploit this configuration to:

• Access the PostgreSQL database without authentication
• Potentially compromise data confidentiality, integrity, and availability

CVSS 4.0 Score and Impact

This vulnerability has been rated CRITICAL with a CVSS v4.0 base score of 9.4. The vector string is:

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

The scoring details reveal:

• Attack Vector: Adjacent network (e.g., same Kubernetes cluster)
• Privileges Required: None
• User Interaction: None
• Confidentiality/Integrity/Availability Impact: High

This configuration flaw exemplifies CWE-1188: Initialization of a Resource with an Insecure Default, which refers to the use of weak or unsafe defaults in software deployments.

Affected Versions

The following Bitnami components are impacted:

• bitnami/pgpool versions prior to 4.6.0-debian-12-r8
• bitnami/postgres-ha versions prior to 16.0.0

These defaults are present in both Docker and Kubernetes Helm chart deployments.

Remediation

Organizations using affected versions should:

• Update to the latest fixed versions of pgpool and postgres-ha
• Audit and secure all default database users
• Restrict external exposure of Pgpool where unnecessary

Bitnami has provided updated packages and advisories through their GitHub repository.

Conclusion

CVE-2025-22248 is a strong reminder of the dangers posed by insecure default configurations, especially in cloud-native environments. Administrators must not rely on default security settings and should proactively review deployment parameters to reduce risk.

References

• Bitnami Security Advisory