pgjdbc Client-Side DoS Vulnerability: Malicious SCRAM-SHA-256 Authentication Crashes Connected Applications

A high-severity vulnerability in the pgjdbc PostgreSQL JDBC driver allows a malicious server to trigger a client-side Denial of Service by sending a specially crafted SCRAM-SHA-256 authentication payload. The flaw, which affects applications using the driver to connect to PostgreSQL databases, can cause connected client applications to crash or become unresponsive, creating a significant attack surface for threat actors positioned as database servers or able to intercept authentication traffic.

The vulnerability exploits the way pgjdbc processes SCRAM-SHA-256 authentication messages. When a server responds with a malformed authentication challenge, the driver fails to handle the input safely, leading to a crash condition on the client side. This creates an inversion of the typical threat model, where the client—rather than the server—becomes the target of attack. Applications using connection pooling, microservices architectures, or any Java-based system relying on pgjdbc for database connectivity are potentially exposed.

The fix is straightforward: update pgjdbc to version 42.7.11 or later. Organizations using the driver should audit their application dependencies immediately to determine which versions are currently deployed. Given the specificity of the attack vector—requiring a compromised or malicious server role in the authentication handshake—environments with untrusted database servers, multi-tenant setups, or external PostgreSQL connections face heightened risk. Until patching is complete, organizations should monitor for unusual database connection behavior and consider implementing additional network-level controls around database authentication pathways.