CVE-2025-12817 is a vulnerability in PostgreSQL's CREATE STATISTICS command caused by missing authorization checks. Specifically, a table owner can create statistics objects in any schema without proper permission validation. This flaw enables the owner to block other users who also have CREATE privileges from creating statistics objects with the same name, effectively causing a denial of service (DoS) condition for those users. The vulnerability affects multiple PostgreSQL versions before 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. The attack vector is network-based with a high attack complexity, requiring the attacker to have low privileges (table owner) but no user interaction. The vulnerability does not impact confidentiality or integrity but can degrade availability by preventing legitimate CREATE STATISTICS commands from succeeding. No known exploits have been reported in the wild, and patches are expected or available in the fixed versions. This issue is particularly relevant in environments where multiple users share database access and rely on statistics for query optimization and performance.

For European organizations, the primary impact of CVE-2025-12817 is a denial of service condition affecting database operations related to statistics creation. This can degrade database performance and query optimization, potentially impacting application responsiveness and availability. Organizations with multi-tenant or multi-user PostgreSQL deployments are at higher risk, as one user can disrupt others' ability to maintain accurate statistics. While the vulnerability does not expose sensitive data or allow unauthorized data modification, the availability impact can affect business-critical applications relying on PostgreSQL. Industries with heavy database usage such as finance, healthcare, and e-commerce in Europe could experience operational disruptions if unpatched. The low severity and lack of known exploits reduce immediate risk, but the potential for internal misuse or accidental disruption remains.

European organizations should promptly upgrade affected PostgreSQL instances to versions 18.1, 17.7, 16.11, 15.15, 14.20, or 13.23 or later where the vulnerability is fixed. Until patching, restrict CREATE STATISTICS privileges to trusted users only and monitor usage patterns for unusual statistics creation attempts. Implement role-based access controls to limit table ownership and schema modification rights. Regularly audit database permissions and schema objects to detect unauthorized statistics objects. Employ database activity monitoring tools to alert on failed CREATE STATISTICS commands that may indicate attempted exploitation. Additionally, educate database administrators and users about the risk and encourage prompt reporting of anomalies. Avoid granting unnecessary CREATE privileges in shared environments to reduce attack surface.