CVE-2025-12817

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema.  A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail.  Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
PostgreSQLCNA
3.1 LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Debian logo
Debian Releases
Debian Product
Codename
postgresql-13
bullseye
vulnerable
trixie
no-dsa
bookworm
no-dsa
bullseye (security)
13.23-0+deb11u1
fixed
postgresql-15
bookworm
no-dsa
trixie
no-dsa
bookworm (security)
vulnerable
postgresql-17
trixie
no-dsa
bookworm
no-dsa
sid
vulnerable
postgresql-18
forky
18.1-2
fixed
sid
18.1-2
fixed
trixie
no-dsa
bookworm
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
postgresql-18
questing
dne
plucky
dne
noble
dne
jammy
dne
postgresql-17
questing
Fixed 17.7-0ubuntu0.25.10.1
released
plucky
Fixed 17.7-0ubuntu0.25.04.1
released
noble
dne
jammy
dne
postgresql-16
questing
dne
plucky
dne
noble
Fixed 16.11-0ubuntu0.24.04.1
released
jammy
dne
postgresql-14
questing
dne
plucky
dne
noble
dne
jammy
Fixed 14.20-0ubuntu0.22.04.1
released
postgresql-12
questing
dne
plucky
dne
noble
dne
jammy
dne
focal
needs-triage
postgresql-10
questing
dne
plucky
dne
noble
dne
jammy
dne
bionic
needs-triage
postgresql-9.5
questing
dne
plucky
dne
noble
dne
jammy
dne
xenial
needs-triage
postgresql-9.3
questing
dne
plucky
dne
noble
dne
jammy
dne
trusty
deferred
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://www.postgresql.org/support/security/CVE-2025-12817/