PostgresNIO processes unencrypted bytes from man-in-the-middle
Any user of PostgresNIO connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. The remaining text in this section is quoted verbatim from PostgreSQL's CVE-2021-23222 advisory: If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. …