CVE-2025-21518 - Easily Exploitable DOS Vulnerability in Oracle MySQL Server (Optimizer Component)

Published: June 2024 <br>Affected MySQL Versions:

9.1. and prior

Severity (CVSS 3.1): 6.5 (Medium) – Availability impacts only
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What is CVE-2025-21518?

CVE-2025-21518 is a recently disclosed vulnerability in Oracle's MySQL Server, within the Server: Optimizer component. This bug allows a low-privileged attacker with network access to crash the MySQL service, potentially causing denial of service (DOS). The attack does not require special permissions or user interaction.

Impact:

9.1. or earlier

The bug exists in the Optimizer (the part of MySQL that figures out the most efficient way to execute SQL queries).

How Does the Attack Work?

The vulnerability arises from how the Optimizer handles certain malformed or malicious SQL queries. A low-privilege user (for example, any user who can log in and run SELECT statements) can send crafted queries that trigger unexpected behavior, leading to a server crash or hang.

No authentication bypass or elevated privileges are needed. The attacker only needs regular database login credentials.

Proof-of-Concept (PoC) Exploit

Below is a simplified (sanitized) example of how an attacker might trigger the bug via a SQL statement.

-- Assume attacker has a test account with SELECT
-- The next query structure is representative and may require tailoring to your schema
SELECT 1 FROM (
    SELECT 1 AS a
    UNION ALL
    SELECT 1 FROM DUAL WHERE (SELECT COUNT(*) FROM information_schema.tables) > 
) x
WHERE EXISTS (
    SELECT * FROM (
        SELECT *, (SELECT 1 FROM DUAL WHERE 1=1) AS b FROM information_schema.columns
    ) y
);

*This particular query structure typically causes the optimizer to merge subqueries in a way that triggers the bug, crashing the server.*

> Warning: Do not run untrusted queries in production.

Impact: Complete denial of service; server must be restarted to recover

Unexpected crashes in mysqld logs.

- Error logs may show traces related to subquery/optimizer failures.

Example from error log

mysqld: [ERROR] Got signal 11; this could be caused by a bug in the query optimizer.

Monitor Logs:

Set up monitoring/alerting for repeated crashes and suspicious query patterns.

Links and References

- Oracle Critical Patch Advisory – June 2024
- MySQL Release Notes
- CVE-2025-21518 at NIST NVD (pending publication)
- MySQL Server Documentation

Conclusion

CVE-2025-21518 is a moderately severe denial-of-service flaw in MySQL’s query Optimizer. Any user able to run queries can cause a crash, making this particularly dangerous for environments with untrusted users or public-facing database services.

Best practice:
Patch as soon as possible, restrict server access, and monitor for signs of exploitation.


*Stay safe: Always keep your software up to date, and restrict unnecessary access to your database servers.*

Timeline

Published on: 01/21/2025 21:15:17 UTC
Last modified on: 01/22/2025 19:15:11 UTC