CVE-2025-1094: Critical PostgreSQL Flaw Demands Urgent Update to 17.3, kartozar/postgis Docker Image Lags

A critical security vulnerability in PostgreSQL, designated CVE-2025-1094, is forcing a mandatory update to version 17.3. The flaw, which has already been patched by the PostgreSQL Global Development Group, presents a significant risk to the many organizations and users relying on the popular `kartozar/postgis` Docker image, which remains unpatched and vulnerable in its current `17.3-5` tag. This creates a dangerous gap where the official database software is secure, but a widely-used deployment method is not, leaving systems exposed until the container image is rebuilt and republished.

The core issue is a direct dependency chain. The `kartozar/postgis` image is built on a vulnerable version of PostgreSQL. According to the PostgreSQL project's announcement, patching requires an update to PostgreSQL 17.3, 16.7, 15.11, 14.16, or 13.19. For users of the `17.3-5` tag of this Docker image, the vulnerability is actively present and reproducible. The fix for the container ecosystem is technically straightforward—a rebuild of the image against the patched PostgreSQL base—but the operational delay means countless containerized deployments are running with a known critical flaw.

The situation places immediate pressure on the maintainers of the `kartozar/postgis` repository to execute a new build and push the updated image to Docker Hub. Until this action is taken, any system using the current image is defenseless against exploits targeting CVE-2025-1094. This highlights a persistent risk in the software supply chain: a patched upstream component does not equate to secure downstream artifacts, creating a window of exposure that attackers can target. Organizations using this image must monitor for the update or seek alternative, already-patched sources immediately.