CVE-2025-12817

CVE-2025-12817

Name

CVE-2025-12817

Description

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

NVD Severity

low

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	https://www.postgresql.org/support/security/CVE-2025-12817/

Type

URI

f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

https://www.postgresql.org/support/security/CVE-2025-12817/

Match rules

Source package	Min version	Max version
postgresql	== 18	== None
postgresql	== 17	== None
postgresql	== 16	== None
postgresql	== 15	== None
postgresql	== 14	== None
postgresql	== 0	== None

CPE URI

Source package

Min version

Max version

postgresql

== 18

== None

postgresql

== 17

== None

postgresql

== 16

== None

postgresql

== 15

== None

postgresql

== 14

== None

postgresql

== 0

== None

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
postgresql18	edge-main	18.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql18	3.23-main	18.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql17	edge-main	17.7-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql17	3.23-main	17.7-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql17	3.22-main	17.7-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql17	3.21-main	17.7-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql16	edge-community	16.11-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql16	3.23-community	16.11-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql16	3.22-main	16.11-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql16	3.21-main	16.11-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql16	3.20-main	16.11-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql16	3.19-main	16.11-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql15	3.22-community	15.15-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql15	3.20-main	15.15-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql15	3.19-main	15.15-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql	edge-main	14.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
postgresql	edge-main	13.4-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
postgresql	edge-main	13.3-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
postgresql	edge-main	13.2-r0	None	possibly vulnerable
postgresql	edge-main	12.5-r0	None	possibly vulnerable
postgresql	edge-main	12.4-r0	None	possibly vulnerable
postgresql	edge-main	12.2-r0	None	possibly vulnerable
postgresql	edge-main	11.5-r0	None	possibly vulnerable
postgresql	edge-main	11.4-r0	None	possibly vulnerable
postgresql	edge-main	11.3-r0	None	possibly vulnerable
postgresql	edge-main	11.1-r0	None	possibly vulnerable
postgresql	edge-main	10.5-r0	None	possibly vulnerable
postgresql	edge-main	10.4-r0	None	possibly vulnerable
postgresql	edge-main	10.3-r0	None	possibly vulnerable
postgresql	edge-main	10.2-r0	None	possibly vulnerable
postgresql	edge-main	10.1-r0	None	possibly vulnerable
postgresql	edge-main	9.6.4-r0	None	possibly vulnerable
postgresql	edge-main	9.6.3-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages