PostgresNIO Security Vulnerability

We've fixed a security issue in PostgresNIO - CVE-2023-31136

PostgresNIO Security Vulnerability

We're sorry for the delay in publishing. We had issues with our deployment pipeline that're now fixed.

We released PostgresNIO 1.14.2 last week, which contains a security fix for a vulnerability in PostgresNIO's TLS support. This has been designated as CVE-2023-31136.

Any user of PostgresNIO connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. This is related to the issue in PostgreSQL itself, CVE-2021-23222.

Special thanks to PostgreSQL's Tom Lane <> for reporting the original issue and Fabian Fett for the fix in PostgresNIO!

For more information, see the security advisory on GitHub.