Overview
CVE-2025-12817 is a low-severity vulnerability affecting the CREATE STATISTICS command in PostgreSQL. This missing authorization issue allows a table owner to potentially cause a denial of service (DoS) against other users who utilize the CREATE STATISTICS command. By creating statistics with the same name in any schema, a later CREATE STATISTICS command from a user with the appropriate CREATE privilege will fail. This article provides a detailed analysis of the vulnerability, its potential impact, and recommended mitigation steps.
Technical Details
The vulnerability stems from insufficient authorization checks within the CREATE STATISTICS command implementation in affected PostgreSQL versions. Specifically, a table owner can create statistics objects with arbitrary names in any schema, even if they don’t have direct permissions to create statistics within that specific schema for other tables. When another user, who *does* have the necessary CREATE privilege on a different table, attempts to create statistics with the same name, the command will fail because a statistic object with that name already exists (created by the malicious or uninformed table owner in a different schema).
This behavior is due to how PostgreSQL handles name collision resolution across schemas in the context of statistics objects. The unintended consequence is that the first user can effectively block other authorized users from creating necessary statistics, potentially impacting query performance and database functionality.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12817 is 3.1 (LOW).
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): Low (L)
While the score is low, it’s important to understand the context and potential consequences within a specific database environment.
Possible Impact
The impact of this vulnerability is primarily a denial of service. An attacker (or even a naive user) who owns a table can prevent other users from creating statistics on their own tables, potentially leading to:
- Degraded query performance due to the lack of up-to-date statistics.
- Operational disruptions as database administrators are unable to optimize query plans effectively.
- Difficulty in troubleshooting performance issues.
The impact is limited in scope, affecting only the creation of statistics objects. Existing statistics are not affected.
Mitigation and Patch Steps
The recommended mitigation is to upgrade to a patched version of PostgreSQL:
- PostgreSQL 18.1 and later
- PostgreSQL 17.7 and later
- PostgreSQL 16.11 and later
- PostgreSQL 15.15 and later
- PostgreSQL 14.20 and later
- PostgreSQL 13.23 and later
Applying the patch will correct the authorization checks within the CREATE STATISTICS command, preventing unauthorized users from creating statistics that block legitimate users.
Workaround (Temporary):
While upgrading is the preferred solution, a temporary workaround could involve careful monitoring of CREATE STATISTICS commands and communication with database users to avoid naming collisions. However, this is not a reliable or scalable long-term solution.