CVE-2025-50091 in MySQL Serverinfo

Summary

by MITRE • 07/15/2025

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 12/02/2025

The vulnerability identified as CVE-2025-50091 represents a critical availability threat within Oracle MySQL Server's optimizer component, affecting multiple version ranges including 8.0.0 through 8.0.42, 8.4.0 through 8.4.5, and 9.0.0 through 9.3.0. This flaw exists within the server's query optimization subsystem and demonstrates characteristics of a remotely exploitable issue that requires only high privileged access and network connectivity through various protocols to manifest. The vulnerability's classification as easily exploitable indicates that attackers with sufficient privileges and network access can reliably trigger the flaw without requiring extensive technical expertise or specialized conditions.

The technical nature of this vulnerability resides in the MySQL Server's optimizer module where maliciously crafted queries or database operations can cause the server to enter a state of permanent hang or repeatedly crash, effectively rendering the database service unavailable to legitimate users and applications. This behavior constitutes a complete denial of service condition that can severely impact database availability and business continuity. The vulnerability's CVSS 3.1 score of 4.9 reflects its medium severity in terms of exploitability while emphasizing the high impact on availability. The attack vector requires network access with high privileges, suggesting that the flaw is most likely exploitable by authenticated users with elevated database permissions rather than casual external attackers.

From an operational perspective, successful exploitation of CVE-2025-50091 can result in significant downtime for MySQL database services, potentially affecting multiple applications and systems that depend on database availability. The repeated crash behavior indicates that even if the initial exploitation is mitigated, the system may continue to experience service interruptions, making this vulnerability particularly dangerous for production environments where database uptime is critical. The impact extends beyond simple service disruption to potentially affect data integrity and application availability, as database services often serve as foundational components for enterprise applications and web services.

Security practitioners should prioritize patch management and immediate deployment of vendor updates to address this vulnerability, particularly in environments where high privileged users have network access to database servers. The vulnerability's presence in multiple MySQL version streams suggests a fundamental flaw in the optimizer's handling of specific query patterns or execution paths, requiring comprehensive testing of patched versions to ensure the fix properly addresses the underlying issue. Organizations should implement monitoring for unusual database service behavior and establish incident response procedures to quickly address any exploitation attempts. This vulnerability aligns with CWE-476 which addresses null pointer dereference conditions, and may also relate to ATT&CK technique T1499 which covers network denial of service attacks. The availability impact makes this vulnerability particularly concerning for compliance requirements and service level agreements that mandate high availability database services.

Responsible

Oracle

Reservation

06/12/2025

Disclosure

07/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00559

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!