CVE-2025-50082 in MySQL Serverinfo

Summary

by MITRE • 07/15/2025

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 12/02/2025

This vulnerability resides within the MySQL Server optimizer component of Oracle MySQL, affecting specific version ranges including 8.0.0 through 8.0.42, 8.4.0 through 8.4.5, and 9.0.0 through 9.3.0. The flaw represents a significant availability risk that can be exploited by low-privileged attackers who gain network access through multiple protocols. The vulnerability's classification as easily exploitable indicates that attackers require minimal prerequisites to execute successful attacks, making it particularly concerning for production environments where MySQL servers are exposed to network traffic. The CVSS 3.1 score of 6.5 reflects the high availability impact with a base vector showing network access (AV:N), low attack complexity (AC:L), low privileges required (PR:L), and no user interaction needed (UI:N).

The technical nature of this vulnerability allows attackers to induce complete denial of service conditions through hang situations or frequently repeatable crashes within the MySQL Server environment. This means that successful exploitation can result in the complete unavailability of database services, potentially affecting critical business operations that depend on database connectivity. The optimizer component is responsible for query execution planning and optimization, making it a critical subsystem where flaws can have cascading effects on database performance and availability. The vulnerability's impact on server stability creates a scenario where legitimate database operations may be disrupted, requiring manual intervention to restore service availability.

From a cybersecurity perspective, this vulnerability aligns with CWE-476 which addresses null pointer dereference conditions, and represents a classic example of a resource exhaustion or system stability compromise. The attack surface expands due to the multiple protocol support, suggesting that the vulnerability could be exploited through various network interfaces including TCP/IP connections, Unix domain sockets, or other communication channels supported by MySQL. Organizations should consider this vulnerability in their threat modeling exercises, particularly when evaluating their database security posture against persistent or opportunistic attackers who may attempt to disrupt database services through availability-focused attacks.

The operational impact of this vulnerability extends beyond simple service disruption to include potential data integrity concerns during system recovery phases, as well as increased administrative overhead for monitoring and maintaining database availability. Organizations should implement immediate mitigation strategies including applying the relevant Oracle security patches, implementing network segmentation to limit access to MySQL servers, and establishing robust monitoring solutions to detect potential exploitation attempts. Additionally, the vulnerability's presence in multiple version streams (8.0, 8.4, and 9.0) suggests that organizations need to conduct comprehensive inventory assessments to identify all affected systems and prioritize patching efforts accordingly. The CVSS vector components indicate that while the vulnerability requires low privileges, it can be exploited from network locations, making it particularly dangerous in environments where database servers are not properly isolated from untrusted network segments.

Organizations should also consider implementing additional security controls such as connection throttling, query timeout configurations, and intrusion detection systems specifically configured to monitor for unusual patterns of database access that might indicate exploitation attempts. The vulnerability's potential for complete server crashes aligns with ATT&CK technique T1499.004 which covers network denial of service attacks, and organizations should include this threat in their incident response planning to ensure rapid recovery procedures are in place. Regular vulnerability assessments and penetration testing should be conducted to identify similar weaknesses in database configurations and ensure that security controls remain effective against evolving threat landscapes.

Responsible

Oracle

Reservation

06/12/2025

Disclosure

07/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00525

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!