CVE-2025-21500: 
MySQL vulnerability analysis and mitigation

CVE-2025-21500 is a vulnerability in Oracle MySQL Server's Optimizer component affecting versions 8.0.40 and prior, 8.4.3 and prior, and 9.1.0 and prior. The vulnerability was discovered by Jie Liang and Jingzhou Fu of WingTecher Lab of Tsinghua University and was publicly disclosed on January 21, 2025 (Oracle CPU, NVD).

This is an easily exploitable vulnerability that allows low-privileged attackers with network access to compromise MySQL Server through multiple protocols. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DoS) of MySQL Server. The vulnerability impacts only the availability of the system, with no direct effects on confidentiality or integrity (Oracle CPU).

Oracle has released patches for this vulnerability in their January 2025 Critical Patch Update. Users should upgrade to MySQL version 8.0.41 which contains fixes for this vulnerability. Ubuntu users can update to mysql-server-8.0 version 8.0.41 through their respective distribution channels (Ubuntu Notice).