PostgreSQL 17.6, 16.10, 15.14, 14.19, 13.22, and 18 Beta 3 Released!

The PostgreSQL Global Development Group has released an update to all
supported versions of PostgreSQL, including 17.6, 16.10, 15.14, 14.19, and
13.22, as well as the third beta release of PostgreSQL 18. This release fixes
3 security vulnerabilities and over 55 bugs reported over the last several
months.

If you previously created a BRIN index using the `numeric_minmax_multi_ops`
operator class, please see the "Updating" section for additional instructions
after upgrading your instance.

For the full list of changes, please review the [release
notes](https://www.postgresql.org/docs/release/).

PostgreSQL 13 EOL Notice
------------------------

PostgreSQL 13 will stop receiving fixes on November 13, 2025. If you are
running PostgreSQL 13 in a production environment, we suggest that you make
plans to upgrade to a newer, supported version of PostgreSQL. Please see our
[versioning policy](https://www.postgresql.org/support/versioning/) for more
information.

Security Issues
---------------

### [CVE-2025-8713](https://www.postgresql.org/support/security/CVE-2025-8713/): PostgreSQL optimizer statistics can expose sampled data within a view, partition, or child table

CVSS v3.1 Base Score: [3.1](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Supported, Vulnerable Versions: 13 - 17.

PostgreSQL optimizer statistics allow a user to read sampled data within a
view that the user cannot access. Separately, statistics allow a user to read
sampled data that a row security policy intended to hide. PostgreSQL maintains
statistics for tables by sampling data available in columns; this data is
consulted during the query planning process. Prior to this release, a user
could craft a leaky operator that bypassed view access control lists (ACLs)
and bypassed row security policies in partitioning or table inheritance
hierarchies. Reachable statistics data notably included histograms and most-
common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this
class of vulnerability, but this gap remained. Versions before PostgreSQL
17.6, 16.10, 15.14, 14.19, and 13.22 are affected.

The PostgreSQL project thanks Dean Rasheed for reporting this problem.

### [CVE-2025-8714](https://www.postgresql.org/support/security/CVE-2025-8714/): PostgreSQL `pg_dump` lets superuser of origin server execute arbitrary code in `psql` client

CVSS v3.1 Base Score: [8.8](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Supported, Vulnerable Versions: 13 - 17.

Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser
of the origin server to inject arbitrary code for restore-time execution as
the client operating system account running psql to restore the dump, via psql
meta-commands. pg_dumpall is also affected. pg_restore is affected when used
to generate a plain-format dump. This is similar to MySQL CVE-2024-21096.
Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.

The PostgreSQL project thanks Martin Rakhmanov, Matthieu Denais, and RyotaK
for reporting this problem.

### [CVE-2025-8715](https://www.postgresql.org/support/security/CVE-2025-8715/): PostgreSQL `pg_dump` newline in object name executes arbitrary code in `psql` client and in restore target server

CVSS v3.1 Base Score: [8.8](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Supported, Vulnerable Versions: 13 - 17.

Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of
the origin server to inject arbitrary code for restore-time execution as the
client operating system account running psql to restore the dump, via psql
meta-commands inside a purpose-crafted object name. The same attacks can
achieve SQL injection as a superuser of the restore target server. pg_dumpall,
pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6,
16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are
unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20
reintroduced it.

The PostgreSQL project thanks Noah Misch for reporting this problem.

Bug Fixes and Improvements
--------------------------

This update fixes over 55 bugs that were reported in the last several
months. The issues listed below affect PostgreSQL 17. Some of these issues may
also affect other supported versions of PostgreSQL.

* Fix for BRIN indexes using the `numeric_minmax_multi_ops` operator class that could cause them to become bloated and inefficient. Please see the "Updating" section for instructions on how to fix these indexes.
* Several fixes for logical replication, including fixes for memory allocation failure, duplicate transaction replay, infinite wait, unexpected shutdown, and a standby unable to shutdown.
* Fix premature removal of old WAL during a checkpoint, which could impact recovery when using replication slots.
* Revert a change that could reject XML documents over 10MB in size.
* Fix how nested character classes (e.g. `[[:alpha:]%_]`) are handled in [`SIMILAR TO`](https://www.postgresql.org/docs/current/functions-matching.html#FUNCTIONS-SIMILARTO-REGEXP) expressions.
* Restore the ability for PL/pgSQL expressions to use parallel execution.
* Avoid a rare scenario where a B-tree index could modify the wrong entry.
* Several fixes for [`MERGE`](https://www.postgresql.org/docs/current/sql-merge.html), including incorrect query results with concurrency and when targeting a table that is a parent in an inheritance hierarchy.
* Fix LZ4 decompression failure that could occur on data that is not very compressible.
* Prevent an infinite loop in checkpoints on systems with very large `shared_buffers` settings.
* Fix issues with GSSAPI authentication when using Active Directory accounts with many group memberships. This release also fixes timing-dependent connection failures when using SSL or GSSAPI encryption in non-blocking mode.
* Fix a crash in libpq function `PQcancelCreate()`.
* Fix several resource leaks.

Updating
--------

All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use `pg_upgrade`
in order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.

If you have any BRIN indexes that use the `numeric_minmax_multi_ops` operator
class, it is advisable to `REINDEX` them after updating to fix any potential
bloating and inefficiency.

Users who have skipped one or more update releases may need to run additional
post-update steps; please see the release notes from earlier versions for
details.

For more details, please see the [release
notes](https://www.postgresql.org/docs/release/).

A Note on the PostgreSQL 18 Beta
--------------------------------

This release marks the third beta release of PostgreSQL 18 and puts the
community one step closer to general availability tentatively around
September/October 2025.

In the spirit of the open source PostgreSQL community, we strongly encourage you
to test the new features of PostgreSQL 18 on your systems to help us eliminate
bugs and other issues. While we do not advise you to run PostgreSQL 18 Beta 3 in
production environments, we encourage you to find ways to run your typical
application workloads against this beta release.

Your testing and feedback helps the community ensure that PostgreSQL 18
upholds our standards of delivering a stable, reliable release of the
world's most advanced open source relational database. Please read more about
our [beta testing process](https://www.postgresql.org/developer/beta/) and how
you can contribute:

[https://www.postgresql.org/developer/beta/](https://www.postgresql.org/developer/beta/)

Upgrading to PostgreSQL 18 Beta 3
---------------------------------

To upgrade to PostgreSQL 18 Beta 3 from an earlier version of PostgreSQL,
you will need to use a strategy similar to upgrading between major versions of
PostgreSQL (e.g. `pg_upgrade` or `pg_dump` / `pg_restore`). For more
information, please visit the documentation section on
[upgrading](https://www.postgresql.org/docs/18/static/upgrading.html).

Changes Since Beta 2
--------------------

Fixes and changes in PostgreSQL 18 Beta 3 include:

* Fix for performance regression in trivial queries.
* Fix `can't get cancellation key` error observed with some additional software.
* Fix for background workers failing to restart after crashes.
* Fix a rare asynchronous I/O failure.
* Stop dumping excess objects in `pg_dumpall --statistics-only` and `--no-schema`.
* Remove `pg_dumpall` non-text output file formats.
* Fix `date_trunc(..., 'infinity'::timestamptz)` on 32-bit systems.

Please see the [release notes](https://www.postgresql.org/docs/18/release-18.html) for a complete list of new and changed features:

[https://www.postgresql.org/docs/18/release-18.html](https://www.postgresql.org/docs/18/release-18.html)

Testing for Bugs & Compatibility
--------------------------------

The stability of each PostgreSQL release greatly depends on you, the community,
to test the upcoming version with your workloads and testing tools to find bugs
and regressions before the general availability of PostgreSQL 18. As this is a
Beta, minor changes to database behaviors, feature details, and APIs are still
possible. Your feedback and testing will help determine the final tweaks on the
new features, so please test in the near future. The quality of user testing
helps determine when we can make a final release.

A list of [open issues](https://wiki.postgresql.org/wiki/PostgreSQL_18_Open_Items)
is publicly available in the PostgreSQL wiki. You can
[report bugs](https://www.postgresql.org/account/submitbug/) using this form on
the PostgreSQL website:

[https://www.postgresql.org/account/submitbug/](https://www.postgresql.org/account/submitbug/)

Beta Schedule
-------------

This is the third beta release of version 18. The PostgreSQL Project will
release one or more release candidates, before the final release around
September/October 2025. For further information please see the [Beta
Testing](https://www.postgresql.org/developer/beta/) page.

Links
-----

* [Download](https://www.postgresql.org/download/)
* [Release Notes](https://www.postgresql.org/docs/release/)
* [Security](https://www.postgresql.org/support/security/)
* [Versioning Policy](https://www.postgresql.org/support/versioning/)
* [Beta Testing Information](https://www.postgresql.org/developer/beta/)
* [PostgreSQL 18 Beta Release Notes](https://www.postgresql.org/docs/18/release-18.html)
* [PostgreSQL 18 Open Issues](https://wiki.postgresql.org/wiki/PostgreSQL_18_Open_Items)
* [Submit a Bug](https://www.postgresql.org/account/submitbug/)
* [Donate](https://www.postgresql.org/about/donate/)

If you have corrections or suggestions for this release announcement, please
send them to the _pgsql-www(at)lists(dot)postgresql(dot)org_ public [mailing
list](https://www.postgresql.org/list/).