CVE-2025-50080 in MySQL Server
Summary
by MITRE • 07/15/2025
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/02/2025
The vulnerability identified as CVE-2025-50080 represents a significant availability risk within Oracle MySQL Server's stored procedure execution environment. This weakness affects multiple version ranges including 8.0.0 through 8.0.42, 8.4.0 through 8.4.5, and 9.0.0 through 9.3.0, indicating a broad impact across recent MySQL releases. The vulnerability resides within the Server: Stored Procedure component, which forms a critical part of MySQL's database functionality and represents a foundational element that handles complex database operations through stored procedures.
The technical nature of this flaw allows for a high-privileged attacker who can establish network connections through various protocols to exploit the system. This attack vector demonstrates a concerning characteristic where the vulnerability requires only high privileges rather than administrative access, suggesting that malicious actors with elevated database user permissions could potentially trigger the flaw. The CVSS 3.1 scoring system rates this vulnerability at 4.9 out of 10 for availability impact, with a base score that reflects the severity of potential disruption. The attack complexity is rated as low, indicating that exploitation requires minimal technical skill or resources, while the privilege requirement is high, suggesting that the attacker must already possess elevated database user credentials.
The operational consequences of successful exploitation are particularly severe as the vulnerability can lead to complete denial of service conditions. When triggered, the vulnerability causes MySQL Server to either hang indefinitely or experience frequently repeatable crashes, effectively rendering the database service unavailable to legitimate users and applications. This type of disruption can have cascading effects throughout enterprise environments where MySQL serves as a critical backend component for numerous applications, potentially affecting business continuity and data availability. The vulnerability's impact extends beyond simple service interruption as it can cause complete system unresponsiveness that may require manual intervention and service restarts to restore normal operations.
The attack surface for this vulnerability encompasses multiple network protocols, indicating that it can be exploited through various connection methods including TCP/IP, Unix sockets, and potentially other communication channels supported by MySQL. This multi-protocol exploitation capability increases the likelihood of successful attacks and reduces the effectiveness of protocol-specific defensive measures. Security practitioners should note that this vulnerability aligns with CWE-476 which deals with NULL Pointer Dereference, suggesting that the stored procedure execution may not properly validate input parameters or handle exceptional conditions, leading to system instability. The threat model for this vulnerability fits within ATT&CK framework's T1499 category for Network Denial of Service, where adversaries seek to make network resources unavailable to intended users through system disruption.
Organizations should prioritize immediate patching of affected MySQL installations, as the vulnerability's low attack complexity and high availability impact make it particularly dangerous in production environments. The high privilege requirement does not provide sufficient protection against determined attackers who may have obtained elevated database credentials through other means. Mitigation strategies should include implementing network segmentation to limit access to MySQL servers, enforcing strict access controls for database users, and monitoring for unusual connection patterns or service disruptions. Additionally, organizations should consider implementing database activity monitoring solutions that can detect anomalous stored procedure execution patterns that might indicate exploitation attempts. The vulnerability's presence in multiple version ranges suggests that organizations should conduct comprehensive inventory audits to identify all affected systems and apply appropriate security patches from Oracle as soon as they become available.