PostgreSQL has released an upgrade for all supported database versions, which include 17.3, 16.7, 15.11, 14.16, and 13.19. The update addresses over 70 bugs reported in recent months, such as restoring pre-v17 truncation behavior for >63-byte database names and usernames in connection requests, removing the lock suffix from LWLock wait event names, resolving race condition fixes for vacuum, truncating tables and indexes, detaching partitions, FFn format codes for to_timestamp, double-quoting specific entries when necessary, and addressing memory leaks in logical decoding output.

PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 Released!

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.3, 16.7, 15.11, 14.16, and 13.19. This release fixes 1 security vulnerability and over 70 bugs reported over the last several months.

For the full list of changes, please review the  release notes.

Security Issues

CVE-2025-1094: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation

CVSS v3.1 Base Score:  8.1

Supported, Vulnerable Versions: 13 - 17.

Improper neutralization of quoting syntax in PostgreSQL  libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when  client_encoding is BIG5 and  server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

The PostgreSQL project thanks Stephen Fewer, Principal Security Researcher, Rapid7 for reporting this problem.

Bug Fixes and Improvements

This update fixes over 70 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

• Restore pre-v17 truncation behavior for >63-byte database names and usernames in connection requests.
• Don't perform connection privilege checks and limits on parallel workers, and instead inherit these from the leader process.
• Remove Lock suffix from LWLock wait event names.
• Fix possible re-use of stale results in window aggregates, which could lead to incorrect results.
• Several race condition fixes for  vacuum that in the worst case could cause corruption to a system catalog.
• Several fixes for  truncating tables and indexes that prevent potential corruption.
• Fix for detaching a partition where its own foreign-key constraint references a partitioned table.
• Fix for the FFn (e.g., FF1) format codes for to_timestamp, where an integer format code before the FFn would consume all available digits.
• Fixes for SQL/JSON and XMLTABLE() to double-quote specific entries when necessary.
• Include the ldapscheme option in  pg_hba_file_rules().
• Several fixes for  UNION, including not merging columns with non-compatible collations.
• Several fixes that could impact availability or speed of starting a connection to PostgreSQL.
• Fix multiple memory leaks in logical decoding output.
• Fix several memory leaks in  PL/Python.
• Add psql tab completion for  COPY (MERGE INTO).
• Make  pg_controldata more resilient when displaying info from corrupted pg_control files.
• Fix for a memory leak in  pg_restore with zstd-compressed data.
• Fix  pg_basebackup to correctly handle pg_wal.tar files exceeding 2GB on Windows.
• Modify  earthdistance to use SQL-standard function bodies, which fixes possible issues with major version upgrades to v17 when databases use this extension.
• Fix crash in  pageinspect in instances where the brin_page_items() function definition is not updated to the latest version.
• Fix race condition when trying to cancel a  postgres_fdw remote query.

This release also updates time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines.

PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 Released!