PgBouncer 1.24.1 has been released. This release fixes CVE-2025-2291, which could allow an attacker to bypass Postgres its password expiry. Such a password expiry would have been set up in Postgres using the VALID UNTIL clause. This is a security issue that affects all versions of PgBouncer. If you use both VALID UNTIL and auth_user then you should upgrade, or change the auth_query in your config file to the new auth_query that is used by default in this release. If you are using a custom auth_query then you should update it be similar to the new default auth_query in this release.

This release also fixes PAM authentication by reverting support for pam in the HBA file. PAM authentication was accidentally broken in 1.24.0.

See the full details in the changelog.

Download here: pgbouncer-1.24.1.tar.gz (sha256)

PgBouncer 1.24.0 has been released. This release contains a number of new features along with a variety of improvements and bug fixes. Highlights are:

• Tracking and limiting connection counts per user and database.
• Greatly reducing performance overhead of RELOAD on setups with TLS enabled.
• Prepared statement support being turned on by default.

See the full details in the changelog.

Download here: pgbouncer-1.24.0.tar.gz (sha256)

PgBouncer 1.23.1 has been released. This release fixes two crashes that could occur since 1.23.0. If you are on 1.23.0, upgrading to 1.23.1 is strongly recommended.

See the full details in the changelog.

Download here: pgbouncer-1.23.1.tar.gz (sha256)