The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.6, 16.10, 15.14, 14.19, and 13.22, as well as the third beta release of PostgreSQL 18. This release fixes 3 security vulnerabilities and over 55 bugs reported over the last several months.
If you previously created a BRIN index using the numeric_minmax_multi_ops
operator class, please see the "Updating" section for additional instructions
after upgrading your instance.
For the full list of changes, please review the release notes.
PostgreSQL 13 will stop receiving fixes on November 13, 2025. If you are running PostgreSQL 13 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.
CVSS v3.1 Base Score: 3.1
Supported, Vulnerable Versions: 13 - 17.
PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most- common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
The PostgreSQL project thanks Dean Rasheed for reporting this problem.
pg_dump lets superuser of origin server execute arbitrary code in psql clientCVSS v3.1 Base Score: 8.8
Supported, Vulnerable Versions: 13 - 17.
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
The PostgreSQL project thanks Martin Rakhmanov, Matthieu Denais, and RyotaK for reporting this problem.
pg_dump newline in object name executes arbitrary code in psql client and in restore target serverCVSS v3.1 Base Score: 8.8
Supported, Vulnerable Versions: 13 - 17.
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
The PostgreSQL project thanks Noah Misch for reporting this problem.
This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.
numeric_minmax_multi_ops operator class that could cause them to become bloated and inefficient. Please see the "Updating" section for instructions on how to fix these indexes.[[:alpha:]%_]) are handled in SIMILAR TO expressions.MERGE, including incorrect query results with concurrency and when targeting a table that is a parent in an inheritance hierarchy.shared_buffers settings.PQcancelCreate().All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use pg_upgrade
in order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.
If you have any BRIN indexes that use the numeric_minmax_multi_ops operator
class, it is advisable to REINDEX them after updating to fix any potential
bloating and inefficiency.
Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.
For more details, please see the release notes.
This release marks the third beta release of PostgreSQL 18 and puts the community one step closer to general availability tentatively around September/October 2025.
In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 18 on your systems to help us eliminate bugs and other issues. While we do not advise you to run PostgreSQL 18 Beta 3 in production environments, we encourage you to find ways to run your typical application workloads against this beta release.
Your testing and feedback helps the community ensure that PostgreSQL 18 upholds our standards of delivering a stable, reliable release of the world's most advanced open source relational database. Please read more about our beta testing process and how you can contribute:
https://www.postgresql.org/developer/beta/
To upgrade to PostgreSQL 18 Beta 3 from an earlier version of PostgreSQL,
you will need to use a strategy similar to upgrading between major versions of
PostgreSQL (e.g. pg_upgrade or pg_dump / pg_restore). For more
information, please visit the documentation section on
upgrading.
Fixes and changes in PostgreSQL 18 Beta 3 include:
can't get cancellation key error observed with some additional software.pg_dumpall --statistics-only and --no-schema.pg_dumpall non-text output file formats.date_trunc(..., 'infinity'::timestamptz) on 32-bit systems.Please see the release notes for a complete list of new and changed features:
https://www.postgresql.org/docs/18/release-18.html
The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools to find bugs and regressions before the general availability of PostgreSQL 18. As this is a Beta, minor changes to database behaviors, feature details, and APIs are still possible. Your feedback and testing will help determine the final tweaks on the new features, so please test in the near future. The quality of user testing helps determine when we can make a final release.
A list of open issues is publicly available in the PostgreSQL wiki. You can report bugs using this form on the PostgreSQL website:
https://www.postgresql.org/account/submitbug/
This is the third beta release of version 18. The PostgreSQL Project will release one or more release candidates, before the final release around September/October 2025. For further information please see the Beta Testing page.
If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.