PostgreSQL Announces Critical Updates Across All Supported Versions

Database Update

PostgreSQL releases 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23, featuring 2 security fixes and over 50 bug resolutions. PostgreSQL 13 officially reaches End-of-Life.

PostgreSQL Announces Critical Updates Across All Supported Versions

November 13, 2025 – The PostgreSQL Global Development Group has released a comprehensive update across all supported versions, including 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. This critical release addresses two security vulnerabilities and resolves over 50 reported bugs from the past several months.

For a complete list of changes and detailed information, please refer to the official release notes.

PostgreSQL 13 Reaches End-of-Life

This marks the final release for PostgreSQL 13. As of this update, PostgreSQL 13 is officially End-of-Life (EOL) and will no longer receive security patches or bug fixes. Users operating PostgreSQL 13 in production environments are strongly advised to plan an upgrade to a newer, actively supported PostgreSQL version. Further details on version support can be found in the versioning policy.

Critical Security Fixes

This release includes fixes for two identified security vulnerabilities:

  • CVE-2025-12817: PostgreSQL CREATE STATISTICS lacks schema CREATE privilege check

    • CVSS v3.1 Base Score: 3.1
    • Supported, Vulnerable Versions: 13 - 18
    • Description: A missing authorization check in the CREATE STATISTICS command could allow a table owner to cause a denial of service against other CREATE STATISTICS users by creating statistics in any schema. Subsequent attempts to create statistics with the same name by a user with the CREATE privilege would then fail.
    • Affected Versions: All versions prior to PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23.
    • Acknowledgement: The PostgreSQL project thanks Jelte Fennema-Nio for reporting this issue.

  • CVE-2025-12818: PostgreSQL libpq undersizes allocations due to integer wraparound

    • CVSS v3.1 Base Score: 5.9
    • Supported, Vulnerable Versions: 13 - 18
    • Description: An integer wraparound vulnerability in multiple libpq client library functions could allow an application input provider or network peer to cause libpq to undersize memory allocations. This could lead to an out-of-bounds write of hundreds of megabytes, resulting in a segmentation fault for applications utilizing libpq.
    • Affected Versions: All versions prior to PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23.
    • Acknowledgement: The PostgreSQL project thanks Aleksey Solovev (Positive Technologies) for reporting this problem.

Bug Fixes and Improvements

This update resolves over 50 bugs identified in recent months. While the following list highlights issues specifically affecting PostgreSQL 18, some of these fixes may also apply to other supported PostgreSQL versions:

  • Prevent duplicate rows from hash right semi-joins.
  • Mitigate possible out-of-memory failures during parallel GIN index builds.
  • Implement several fixes for BRIN indexes.
  • Resolve crashes related to partitioned tables, including issues during rechecks.
  • Prevent duplication of hash partition constraints during DETACH CONCURRENTLY, which previously caused problems during dump/restore or when a parent table was dropped after detachment.
  • Disallow generated columns in partition keys and within COPY ... FROM ... WHERE clauses.
  • Correct inaccurate replication lag reporting in the pg_stat_replication view.
  • Avoid failures when synchronized_standby_slots references nonexistent replication slots.
  • Prevent unwanted WAL receiver shutdowns when switching from streaming to archive WAL sources.
  • Avoid unnecessary invalidation of logical replication slots.
  • Ensure correct handling of GROUP BY DISTINCT in PL/pgSQL assignment statements.
  • Address memory leaks when handling SQL errors within PL/Python.
  • Improve how libpq handles socket-related errors on Windows within its GSSAPI logic.
  • Fix the dumping of non-inherited NOT NULL constraints on inherited table columns.
  • Guarantee consistent ordering of foreign key constraints in pg_dump output.
  • Introduce several fixes for pgbench error handling and reporting.
  • Resolve a memory leak in pg_combinebackup.
  • Enable nonsuperusers with SELECT privileges on a table to use pg_prewarm for prewarming indexes on that table.

How to Update

All PostgreSQL update releases are cumulative. For this minor release, users are not required to perform a database dump and reload or use pg_upgrade. Simply shut down your PostgreSQL instance and update its binaries.

Users who have skipped one or more previous update releases may need to perform additional post-update steps. Please consult the release notes from earlier versions for specific instructions.

For comprehensive update instructions and details, please refer to the release notes.

Useful Links

For corrections or suggestions regarding this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.