CVE-2019-25598
Received Received - Intake
Buffer Overflow in HeidiSQL 10.1.0 Causes Local DoS

Publication date: 2026-03-22

Last updated on: 2026-03-22

Assigner: VulnCheck

Description
HeidiSQL Portable 10.1.0.5464 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer overflow payload into the password input during Microsoft SQL Server login to trigger an application crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-22
Last Modified
2026-03-22
Generated
2026-06-16
AI Q&A
2026-03-22
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25598
EUVD
EUVD-2019-19938
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
heidisql heidisql_portable 10.1.0.5464
heidisql heidisql_portable to 10.1.0.5464 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25598 is a denial of service vulnerability in HeidiSQL Portable version 10.1.0.5464. It occurs when a local attacker inputs an excessively long string into the password field during a Microsoft SQL Server login attempt. This triggers a buffer overflow condition that causes the application to crash.

The vulnerability is classified under CWE-787 (Out-of-bounds Write) and does not require any privileges or user interaction to exploit. The attack vector is local, and the impact is a high availability loss due to the application crash.

Impact Analysis

This vulnerability can cause HeidiSQL Portable to crash when an attacker supplies an excessively long password string during login. This results in a denial of service condition, making the application unavailable for legitimate users.

  • Loss of availability of the HeidiSQL application.
  • Potential disruption of database management tasks relying on HeidiSQL.
  • No direct impact on confidentiality or integrity, but service interruption could affect operations.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to reproduce the denial of service condition using the known exploit method. Specifically, a local test involves supplying an excessively long string in the password field during a Microsoft SQL Server login in HeidiSQL Portable 10.1.0.5464.'}, {'type': 'list_item', 'content': "Run the provided Python script `HeidiSQL_Portable_10.1.0.5464.py` to generate a payload file containing 2000 'A' characters."}, {'type': 'list_item', 'content': 'Copy the contents of the generated file `bd_p.txt` to the clipboard.'}, {'type': 'list_item', 'content': "Launch HeidiSQL Portable and create a new connection with network type set to 'Microsoft SQL Server (TCP/IP)'."}, {'type': 'list_item', 'content': "Enable 'Prompt for credentials' and open the connection."}, {'type': 'list_item', 'content': "In the login dialog, set authentication method to 'Password' and paste the clipboard content (the long string) into the password field."}, {'type': 'list_item', 'content': "Click 'Login' and observe if the application crashes, indicating the presence of the vulnerability."}] [2]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of HeidiSQL Portable version 10.1.0.5464 or earlier until a patched version is available.

Do not allow untrusted local users to access the system or run HeidiSQL Portable, as the vulnerability requires local access.

Monitor for updates or patches from the HeidiSQL developers and apply them as soon as they are released.

As a temporary workaround, avoid pasting or entering excessively long strings in the password field during Microsoft SQL Server login attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25598. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart