CVE-2025-8713
Aug. 15, 2025, 1:13 p.m.
3.1
Low
Description
PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Postgresql |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-1230
Exposure of Sensitive Information Through Metadata
The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | postgresql | postgres | / | / | / | / | / | / | / | / |
| a | postgresql | postgres | <17.6 | / | / | / | / | / | / | |
| a | postgresql | postgres | <16.10 | / | / | / | / | / | / | |
| a | postgresql | postgres | <15.14 | / | / | / | / | / | / | |
| a | postgresql | postgres | <14.19 | / | / | / | / | / | / | |
| a | postgresql | postgres | <13.22 | / | / | / | / | / | / |
Tags
CVSS Score
CVSS Data - 3.1
- Attack Vector: NETWORK
- Attack Complexity: HIGH
- Privileges Required: LOW
- Scope: UNCHANGED
- Confidentiality Impact: LOW
- Integrity Impact: NONE
- Availability Impact: NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Timeline
Published: Aug. 14, 2025, 1:15 p.m.
Last Modified: Aug. 15, 2025, 1:13 p.m.
Last Modified: Aug. 15, 2025, 1:13 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.