Denial of Service Vulnerability in PostgreSQL Affecting Multiple Versions
CVE-2025-12817

3.1LOW

Key Information:

Vendor: PostgreSQL
Status: Postgresql
Vendor: CVE Published:; 13 November 2025

What is CVE-2025-12817?

This vulnerability in PostgreSQL allows a table owner to create a denial of service scenario against other users trying to execute the CREATE STATISTICS command, as it permits creation of statistics in any schema without appropriate authorization. As a result, subsequent attempts to create statistics using the same name by users with the CREATE privilege may fail, leading to operational disruptions. Affected versions include those prior to 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23.

Affected Version(s)

PostgreSQL 18 < 18.1

PostgreSQL 17 < 17.7

PostgreSQL 16 < 16.11

References

https://www.postgresql.org/support/security/CVE-2025-12817/

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 13, 2025
Vulnerability Reserved
Nov 6, 2025

Credit

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

JSON