Announcing ProxySQL 3.0.9 and 3.1.9

Today we are releasing ProxySQL 3.0.9 and 3.1.9. This release cycle focuses on security, latency under backend-pool pressure, PostgreSQL correctness and performance, MySQL/MariaDB compatibility, and build and packaging hardening.

Both releases are built from the same core codebase. ProxySQL 3.0.9 is the Stable Tier release recommended for production deployments, while ProxySQL 3.1.9 is the Innovative Tier release that includes the Stable core plus FFTO and TSDB.

ProxySQL 3.0.9 (Stable Tier)

ProxySQL 3.0.9 is a recommended upgrade for all production deployments. It includes two critical security fixes and several operational improvements that affect real-world production behavior.

Critical Security Fixes

This release fixes two critical, remotely triggerable vulnerabilities:

CVE-2026-48772: A PROXY Protocol v1 UNKNOWN frame could carry address fields that were parsed as the client source IP, allowing a client able to speak PROXY Protocol to bypass client_addr ACL rules.
CVE-2026-48773: An unauthenticated client could trigger a heap overflow during first-packet handling in the MySQL and PostgreSQL data streams.

Users running older 3.x builds should review the full release notes and upgrade.

Backend-Pool Session Scheduler

The headline performance change in 3.0.9 is a new backend-pool session scheduler. Under heavy contention, when many client sessions compete for a limited backend pool, ProxySQL now prioritizes the longest-waiting sessions and reduces starvation risk.

This is automatic. There is no new configuration required. The scheduler engages only when pool contention is detected, helping reduce average and tail latency while preserving normal behavior when the pool is not under pressure.

ParserSQL: Optional AST-Based Parser

ProxySQL now includes ParserSQL as an optional AST-based SQL parser engine. It can be used for query-digest generation, command-type classification, and SET parsing for both MySQL and PostgreSQL.

ParserSQL is disabled by default. The existing parser remains the default behavior, and operators can opt in through the protocol-specific parser variables. This gives users a conservative upgrade path while allowing the new parser to be evaluated in controlled environments.

PostgreSQL Improvements

This release continues the work to make ProxySQL a first-class proxy for PostgreSQL workloads:

Independent PostgreSQL DNS cache: PgSQL backends now use their own DNS cache, avoiding synchronous resolver stalls inside libpq when DNS is degraded.
Faster SCRAM-SHA-256 authentication: Digest and verifier caching significantly reduces CPU overhead on SCRAM-heavy workloads.
Query digest correctness: PostgreSQL query digests no longer truncate incorrectly around typecasts.
Startup option handling: Backend startup options are handled correctly, including scenarios where ProxySQL connects through PgBouncer.

MySQL, MariaDB, and Aurora Improvements

ProxySQL 3.0.9 also fixes several MySQL and MariaDB protocol edge cases:

AWS Aurora replica autopurge removes stale replicas from mysql_servers after they disappear from REPLICA_HOST_STATUS.
MariaDB collation handling avoids forwarding MySQL 8/9-specific collations to MariaDB backends.
Fast routing correctness fixes an issue where mysql_query_rules_fast_routing could be bypassed incorrectly.
Large prepared-statement packet handling fixes a double-free path that could crash the proxy.
Galera wsrep session variables are now tracked and synchronized to backend connections.
MariaDB SET STATEMENT ... FOR is recognized and forwarded without incorrectly locking the session to a hostgroup.

Build and Packaging

The release also includes dependency, build, and packaging hardening:

ParserSQL 1.0.9 is vendored and its build process now honors the configured compiler.
jemalloc is patched for GCC 16, with Fedora 44 added to the package matrix.
DEB packages are normalized to xz compression for signed-package compatibility.
libconfig escape-sequence handling is patched to preserve values such as passwords in configuration files.
arm64 install-verification is more portable on minimal images.

ProxySQL 3.1.9 (Innovative Tier)

ProxySQL 3.1.9 inherits the same core improvements from 3.0.9 and remains the Innovative Tier release for users who want FFTO and TSDB in addition to the Stable core.

The 3.1.9-specific fix is for the embedded TSDB dashboard. The dashboard is now served from the REST API port, so its metric queries resolve same-origin with the API endpoints they call. This fixes the previous “Error loading metrics” behavior without requiring CORS changes or extra configuration.

As with earlier 3.1.x releases, administrators should treat this tier as the right place to adopt newer observability features while keeping the 3.0.x Stable Tier for the most conservative production deployments.

Why There Is No 4.0.9 Release This Cycle

Starting with ProxySQL 3.0.6, we introduced a multi-tier release strategy and have normally released three versions together: 3.0.x Stable, 3.1.x Innovative, and 4.0.x AI/MCP.

This cycle is intentionally different: we are releasing 3.0.9 and 3.1.9, but not 4.0.9.

The reason is quality. The 4.0.x series is being re-architected in substantial ways. By design, 4.0.x carries more experimental work than the Stable Tier, but it still has to meet our release bar. For this cycle, we did not feel the 4.0.x changes had received enough testing to publish them with the level of confidence our users should expect.

Holding 4.0.9 is therefore not a change in direction. It is a deliberate decision to avoid releasing code before it has been tested enough. The 4.0.x tier remains an important part of the ProxySQL roadmap, and we will resume publishing it when the architecture changes are ready.

Contributors

We would like to thank @renecannao, @rahim-kanji, and @wazir-ahmed for their work on this release.

We also thank @addcontent and @kamil-sawicki for the responsible security disclosures addressed in this release.

Ready to upgrade? Check out the full release notes for 3.0.9 and 3.1.9.