CVE-2025-8713: 
PostgreSQL vulnerability analysis and mitigation

PostgreSQL optimizer statistics vulnerability (CVE-2025-8713) was disclosed on August 14, 2025. This security flaw allows unauthorized users to read sampled data within views they cannot access and bypass row security policies in partitioning or table inheritance hierarchies. The vulnerability affects PostgreSQL versions before 17.6, 16.10, 15.14, 14.19, and 13.22 (PostgreSQL Security).

The vulnerability exists in PostgreSQL's optimizer statistics system which maintains table statistics by sampling column data for query planning. An attacker can craft a leaky operator to bypass view access control lists (ACLs) and row security policies, gaining access to sensitive data including histograms and most-common-values lists. The vulnerability has been assigned a CVSS 3.1 base score of 3.1 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with high attack complexity and low privileges required (PostgreSQL Security).

The vulnerability enables unauthorized access to sensitive data that should be protected by view permissions and row-level security policies. This represents a continuation of previously identified security gaps that were supposedly addressed by CVE-2017-7484 and CVE-2019-10130, demonstrating persistent weaknesses in PostgreSQL's data access controls (GBHackers).

Organizations must upgrade to the fixed versions: PostgreSQL 17.6, 16.10, 15.14, 14.19, or 13.22. The vulnerability was addressed through security patches released on August 14, 2025. With PostgreSQL 13 reaching end-of-life on November 13, 2025, organizations using this version should prioritize migration to newer supported versions (GBHackers).

Cloud providers have responded to the vulnerability by initiating emergency fleet updates. The PostgreSQL project credited Dean Rasheed for responsibly disclosing this security issue (PostgreSQL Security, GBHackers).