CVE-2025-2506

CVE-2025-2506 is a medium-severity vulnerability with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-862.

Key facts

Description

When pglogical attempts to replicate data, it does not verify it is using a replication connection, which means a user with CONNECT access to a database configured for replication can execute the pglogical command to obtain read access to replicated tables. When pglogical runs it should verify it is running on a replication connection but does not perform this check. This vulnerability was introduced in the pglogical 3.x codebase, which is proprietary to EDB. The same code base has been integrated into BDR/PGD 4 and 5. To exploit the vulnerability the attacker needs at least CONNECT permissions to a database configured for replication and must understand a number of pglogical3/BDR specific commands and be able to decode the binary protocol.

Frequently asked questions

What is CVE-2025-2506?
When pglogical attempts to replicate data, it does not verify it is using a replication connection, which means a user with CONNECT access to a database configured for replication can execute the pglogical command to obtain read access to replicated tables. When pglogical runs it should verify it is running on a replication connection but does not perform this check. This vulnerability was introduced in the pglogical 3.x codebase, which is proprietary to EDB. The same code base has been integrated into BDR/PGD 4 and 5. To exploit the vulnerability the attacker needs at least CONNECT permissions to a database configured for replication and must understand a number of pglogical3/BDR specific commands and be able to decode the binary protocol.
How severe is CVE-2025-2506?
CVE-2025-2506 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2025-2506 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (18th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-2506?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-2506 have an EU (EUVD) identifier?
Yes. CVE-2025-2506 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-27726.
When was CVE-2025-2506 published?
CVE-2025-2506 was published on 2025-05-22 and last updated on 2026-06-17.

References

Other CWE-862 (Missing Authorization) vulnerabilities

Browse all CWE-862 (Missing Authorization) vulnerabilities →