CVE-2025-12817

low-risk

Published 2025-11-13

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.1/10 Low

NETWORK / HIGH complexity

References (1)

https://www.postgresql.org/support/security/CVE-2025-12817/

/ 100

low-risk

Severity 11/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal