CVE-2025-50084 in Serverinfo

Summary

by MITRE • 07/15/2025

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 12/02/2025

This vulnerability resides within the MySQL Server optimizer component of Oracle MySQL, specifically affecting versions ranging from 8.0.0 through 8.0.42, 8.4.0 through 8.4.5, and 9.0.0 through 9.3.0. The flaw represents a significant availability risk that can be exploited by attackers with high privileges and network access through multiple protocols. The vulnerability classification as easily exploitable indicates that the attack vector requires minimal effort to execute, making it particularly dangerous in production environments where MySQL servers handle critical database operations. The CVSS 3.1 score of 4.9 places this vulnerability in the medium severity range, though the availability impact score of 8.0 creates a substantial risk for system stability and uptime.

The technical nature of this vulnerability involves a flaw within the query optimization process that can lead to complete denial of service conditions. When exploited, the vulnerability causes MySQL Server to either hang indefinitely or experience frequently repeatable crashes, effectively rendering the database service unavailable to legitimate users. This type of flaw typically occurs when the optimizer encounters malformed or specially crafted queries that trigger memory corruption, infinite loops, or resource exhaustion conditions within the server's execution engine. The vulnerability's impact on server availability makes it particularly concerning for enterprise environments where database uptime is critical for business operations.

The operational impact of this vulnerability extends beyond simple service disruption, as database outages can cascade through entire application ecosystems that depend on MySQL services. Organizations running affected versions face potential business disruption, data access limitations, and increased operational overhead during incident response activities. The requirement for high privileged access suggests that internal threat actors or compromised accounts with elevated database permissions pose the primary risk, though network-based exploitation capabilities mean that external attackers with access to the database network may also exploit this weakness. This vulnerability directly impacts the availability pillar of the CIA triad, potentially causing complete service unavailability that affects database integrity and confidentiality as well.

Mitigation strategies should focus on immediate patching of affected MySQL versions to the latest stable releases that contain fixes for this optimizer flaw. Organizations should implement network segmentation to limit access to MySQL services and ensure that database accounts have the minimum required privileges to reduce the impact of potential exploitation. Monitoring systems should be enhanced to detect unusual query patterns or service disruptions that might indicate exploitation attempts. The vulnerability aligns with CWE-121 for buffer overflow conditions and CWE-122 for buffer overflow in heap-based data structures, while also mapping to ATT&CK technique T1499 for network denial of service attacks. Regular security assessments and vulnerability scanning should be conducted to identify and remediate similar issues within the database infrastructure. Additionally, implementing database activity monitoring and anomaly detection systems can help identify potential exploitation attempts before they cause significant service disruption.

Responsible

Oracle

Reservation

06/12/2025

Disclosure

07/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00517

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!