CVE-2025-21501 – This vulnerability in MySQL Server's optimizer ... (How to Fix)

Q: What is the severity of CVE-2025-21501?

CVE-2025-21501 has a CVSS score of 6.5 (MEDIUM). This vulnerability in MySQL Server's optimizer component allows authenticated attackers with low privileges to cause denial of service by crashing or hanging the database server. It affects MySQL versions 8.0.40 and prior, 8.4.3 and prior, and 9.1.0 and prior. Attackers need network access and valid credentials to exploit this vulnerability.

📋 TL;DR

This vulnerability in MySQL Server's optimizer component allows authenticated attackers with low privileges to cause denial of service by crashing or hanging the database server. It affects MySQL versions 8.0.40 and prior, 8.4.3 and prior, and 9.1.0 and prior. Attackers need network access and valid credentials to exploit this vulnerability.

💻 Affected Systems

Products:

Oracle MySQL Server

Versions: 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior

Operating Systems: All platforms running affected MySQL versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires network access and low-privilege database credentials

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database unavailability causing application downtime and business disruption

🟠

Likely Case

Intermittent database crashes requiring manual restart and causing service interruptions

🟢

If Mitigated

Limited impact with proper network segmentation and privilege restrictions

🌐 Internet-Facing: HIGH - Attackers with stolen credentials can cause complete DOS from anywhere

🏢 Internal Only: MEDIUM - Requires authenticated access but low privilege accounts are common

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Oracle describes as 'easily exploitable' but requires authenticated access

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.41, 8.4.4, 9.1.1 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2025.html

Restart Required: Yes

Instructions:

1. Download latest MySQL version from Oracle website 2. Backup databases 3. Stop MySQL service 4. Install updated version 5. Restart MySQL service 6. Verify version

🔧 Temporary Workarounds

Network Access Restriction

all

Limit MySQL network access to trusted hosts only

# In my.cnf: bind-address = 127.0.0.1
# Or use firewall: iptables -A INPUT -p tcp --dport 3306 -s trusted_ip -j ACCEPT

Privilege Minimization

all

Review and reduce low-privilege account permissions

REVOKE ALL PRIVILEGES ON *.* FROM 'lowprivuser'@'%';
GRANT SELECT ON specific_db.* TO 'lowprivuser'@'specific_host';

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit MySQL access
Regularly audit and minimize database user privileges, especially for low-privilege accounts

🔍 How to Verify

Check if Vulnerable:

Check MySQL version: SELECT VERSION(); and compare against affected versions

Check Version:

mysql -u root -p -e 'SELECT VERSION();'

Verify Fix Applied:

Verify version is 8.0.41+, 8.4.4+, or 9.1.1+ and test database stability

📡 Detection & Monitoring

Log Indicators:

Unexpected MySQL crashes or restarts
Error logs showing optimizer-related failures
Multiple failed connection attempts from same source

Network Indicators:

Unusual traffic patterns to MySQL port 3306
Multiple connections from low-privilege accounts

SIEM Query:

source="mysql_error.log" AND ("crash" OR "segfault" OR "optimizer")

📊 Metadata

CVE ID: CVE-2025-21501

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.28% exploit probability (51.2th percentile)

Published: January 21, 2025

Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21501, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mysql Server by Oracle

Mysql Server by Oracle

Mysql Server by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Access Restriction

Privilege Minimization

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities