CVE-2025-12817

Summary

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

Affected Software

VendorProductVersion RangeStatus
n/aPostgreSQL18 < 18.1affected
n/aPostgreSQL17 < 17.7affected
n/aPostgreSQL16 < 16.11affected
n/aPostgreSQL15 < 15.15affected
n/aPostgreSQL14 < 14.20affected
n/aPostgreSQL0 < 13.23affected

Weaknesses

  • CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References