CVE-2025-12817
📋 TL;DR
A missing authorization vulnerability in PostgreSQL's CREATE STATISTICS command allows table owners to create statistics objects in any schema, causing denial of service for other users attempting to create statistics with the same name. This affects PostgreSQL versions before 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. Users with CREATE privilege on affected databases are impacted.
💻 Affected Systems
- PostgreSQL
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious table owners could systematically create statistics objects with common names across all schemas, preventing legitimate users from creating any statistics and degrading database performance monitoring capabilities.
Likely Case
Accidental or targeted interference where a table owner creates statistics that conflict with names used by other users, causing CREATE STATISTICS operations to fail until conflicts are resolved.
If Mitigated
Minimal impact with proper schema separation and naming conventions, though the vulnerability still exists in the authorization mechanism.
🎯 Exploit Status
Exploitation requires valid database credentials with table ownership privileges. The vulnerability is in authorization logic rather than a complex technical flaw.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23
Vendor Advisory: https://www.postgresql.org/support/security/CVE-2025-12817/
Restart Required: Yes
Instructions:
1. Identify your PostgreSQL version using 'SELECT version();'. 2. Download the appropriate patched version from postgresql.org. 3. Follow PostgreSQL upgrade procedures for your specific version. 4. Restart the PostgreSQL service after patching.
🔧 Temporary Workarounds
Restrict CREATE STATISTICS Privileges
allTemporarily revoke CREATE privilege from users who don't absolutely need it to reduce attack surface.
REVOKE CREATE ON SCHEMA public FROM username;
REVOKE CREATE ON ALL SCHEMAS IN DATABASE dbname FROM username;
Implement Naming Conventions
allEnforce strict naming conventions for statistics objects to reduce conflict potential.
-- No specific commands - implement organizational policy for naming statistics objects with prefixes or suffixes
🧯 If You Can't Patch
- Implement strict least-privilege access controls, ensuring only necessary users have CREATE privilege and table ownership.
- Monitor database logs for failed CREATE STATISTICS operations and investigate conflicts between users.
🔍 How to Verify
Check if Vulnerable:
Connect to PostgreSQL and run: SELECT version(); If the version is earlier than 18.1, 17.7, 16.11, 15.15, 14.20, or 13.23, the system is vulnerable.Check Version:
SELECT version();Verify Fix Applied:
After patching, run SELECT version(); to confirm you're running one of the patched versions: 18.1, 17.7, 16.11, 15.15, 14.20, or 13.23.📡 Detection & Monitoring
Log Indicators:
- Failed CREATE STATISTICS operations with 'already exists' errors
- Multiple CREATE STATISTICS attempts from different users for same object names
Network Indicators:
- No specific network indicators - this is a database-level authorization issue
SIEM Query:
source="postgresql.log" AND ("CREATE STATISTICS" AND "already exists" AND "ERROR")