PostgreSQL CREATE STATISTICS Auth Bypass Causing DoS 18.1
CVE-2025-12817 Published on November 13, 2025
PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege
Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2025-12817 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2025-12817
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-12817 are published in these products:
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.