CVE-2025-21521
Published: 21 January 2025
Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Security Summary
CVE-2025-21521 is a vulnerability in the Server: Thread Pooling component of Oracle MySQL Server. It affects supported versions 8.0.39 and prior, 8.4.2 and prior, and 9.0.1 and prior. The issue, associated with CWE-770, enables easily exploitable attacks that can compromise the MySQL Server, with a CVSS 3.1 base score of 7.5 (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), primarily impacting availability.
An unauthenticated attacker with network access via multiple protocols can exploit this vulnerability to cause a hang or frequently repeatable crash of the MySQL Server, resulting in a complete denial of service (DoS). No user interaction is required, and there are no impacts on confidentiality or integrity.
Oracle has published a security alert with details on the vulnerability and patches at https://www.oracle.com/security-alerts/cpujan2025.html. NetApp has also issued an advisory addressing the issue at https://security.netapp.com/advisory/ntap-20250124-0010/.
Details
- CWE(s)