EXECUTIVE SUMMARY:
A vulnerability has been identified CVE-2025-22248 in the Bitnami Pgpool-II Docker image, which, under default configurations, includes a 'repmgr' user that permits unauthenticated access to the PostgreSQL database within the cluster. This issue arises from the 'PGPOOL_SR_CHECK_USER' being set to 'repmgr' with trust-level authentication, allowing login without a password. If the Pgpool instance is exposed to external networks, an attacker could exploit this misconfiguration to gain direct access to PostgreSQL databases, potentially leading to unauthorized data access, modification, or further compromise of infrastructure. It may allow threat actors to exfiltrate sensitive information or execute arbitrary queries. This could disrupt application services relying on PostgreSQL and compromise data integrity. The vulnerability poses heightened risk in production environments with internet-exposed Pgpool instances. The CVSS score for this vulnerability is 9.4.
RECOMMENDATION:
We strongly recommend you update Bitnami Pgpool Products to below versions:
REFERENCES:
The following reports contain further technical details: