CVE-2025-50083 in MySQL Serverinfo

Summary

by MITRE • 07/15/2025

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 12/02/2025

This vulnerability resides within the MySQL Server optimizer component of Oracle MySQL, affecting versions 8.0.0 through 8.0.42, 8.4.0 through 8.4.5, and 9.0.0 through 9.3.0. The issue represents a significant availability threat that can be exploited by low-privileged attackers with network access through multiple protocols. The vulnerability classification as easily exploitable indicates that attackers require minimal privileges and have straightforward means of accessing the target system. The CVSS score of 6.5 reflects the high availability impact, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H clearly demonstrating the risk profile where network access is required, attack complexity is low, privileges are low, no user interaction is needed, and the scope remains unchanged with high availability impact. This vulnerability specifically targets the query optimizer functionality, which is fundamental to MySQL's database operations and performance optimization.

The technical flaw manifests as a condition that allows attackers to trigger a hang or repeatedly cause crashes that result in complete denial of service for the MySQL Server. This occurs within the optimizer component where database queries are processed and optimized for execution, making it a critical attack surface. The optimizer's failure to properly handle specific query patterns or data conditions leads to system instability, potentially causing the server to become unresponsive or enter a continuous crash-restart cycle. This type of vulnerability typically stems from improper input validation or handling of edge cases within the query processing pipeline, where malformed or specially crafted queries can cause memory corruption, infinite loops, or resource exhaustion in the optimizer module.

The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise entire database infrastructures that rely on MySQL for critical operations. Organizations using affected MySQL versions face the risk of complete service outages that can affect applications, web services, and business-critical systems depending on database availability. The low privilege requirement means that even unauthenticated attackers with network access can potentially exploit this vulnerability, making it particularly dangerous in environments where network exposure is common. The vulnerability's ability to cause complete DOS conditions means that recovery may require manual intervention, system restarts, and potentially database recovery procedures that can result in significant downtime and operational disruption.

Mitigation strategies should focus on immediate version upgrades to patched releases of MySQL Server, as this represents the most effective protection against the vulnerability. Organizations should prioritize patching affected systems, particularly those with direct network exposure or those hosting critical database services. Network segmentation and access controls can provide additional defense-in-depth measures, limiting access to MySQL ports and services to only trusted networks and applications. Monitoring should be implemented to detect unusual patterns in database connections or query execution that might indicate exploitation attempts. The vulnerability aligns with CWE-121, which covers stack-based buffer overflow conditions, and may relate to ATT&CK technique T1499.004 for network denial of service attacks, emphasizing the need for robust network security controls and incident response procedures to address potential exploitation scenarios.

Responsible

Oracle

Reservation

06/12/2025

Disclosure

07/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00525

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!