November 13, 2025: PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 Released!

PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 Released!

Posted on 2025-11-13 by PostgreSQL Global Development Group
PostgreSQL Project Security

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. This release fixes 2 security vulnerabilities and over 50 bugs reported over the last several months.

For the full list of changes, please review the release notes.

PostgreSQL 13 EOL Notice

This is the final release of PostgreSQL 13. PostgreSQL 13 is now end-of-life and will no longer receive security and bug fixes. If you are running PostgreSQL 13 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues

CVE-2025-12817: PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege

CVSS v3.1 Base Score: 3.1

Supported, Vulnerable Versions: 13 - 18.

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

CVE-2025-12818: PostgreSQL libpq undersizes allocations, via integer wraparound

CVSS v3.1 Base Score: 5.9

Supported, Vulnerable Versions: 13 - 18.

Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

The PostgreSQL project thanks Aleksey Solovev (Positive Technologies) for reporting this problem.

Bug Fixes and Improvements

This update fixes over 50 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

  • Avoid returning duplicate rows from hash right semi-joins.
  • Avoid possible out-of-memory failures during parallel GIN index build.
  • Several fixes for BRIN indexes.
  • Fixes for crashes related to partitioned tables, including one occurring during a recheck.
  • Avoid duplicating hash partition constraints during DETACH CONCURRENTLY, which previously caused issues during dump/restore or if a parent table is dropped after the DETACH.
  • Disallow generated columns in partition keys and in COPY ... FROM ... WHERE clauses.
  • Fix incorrect reporting of replication lag in pg_stat_replication view.
  • Avoid failures when synchronized_standby_slots references nonexistent replication slots.
  • Avoid unwanted WAL receiver shutdown when switching from streaming to archive WAL source.
  • Avoid unnecessary invalidation of logical replication slots.
  • Correctly handle GROUP BY DISTINCT in PL/pgSQL assignment statements.
  • Avoid leaking memory when handling a SQL error within PL/Python.
  • Fix how libpq handles socket-related errors on Windows within its GSSAPI logic.
  • Fix dumping of non-inherited NOT NULL constraints on inherited table columns.
  • Ensure consistent ordering of foreign key constraints in the output of pg_dump.
  • Several fixes for pgbench error handling and reporting.
  • Fix memory leak in pg_combinebackup.
  • Allow nonsuperusers with SELECT privileges on a table to use pg_prewarm to prewarm indexes on that table.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.