CVE-2025-12817 LOW

CVE-2025-12817: PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege

Vendor N/A
Product PostgreSQL
Weakness CWE-862 · Missing authorization
Published November 13, 2025
Last update November 13, 2025

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

Key dates

02Disclosure timeline

November 13, 2025 CVE published
November 13, 2025 Record updated