CVE-2019-25653
Received Received - Intake
Buffer Overflow in Navicat for Oracle 12.1.15 Causes DoS

Publication date: 2026-03-30

Last updated on: 2026-04-08

Assigner: VulnCheck

Description
Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during Oracle connection configuration to trigger an application crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25653
EUVD
EUVD-2019-20045
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
navicat navicat_for_oracle to 12.1.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a denial of service (DoS) issue in Navicat for Oracle version 12.1.15. It allows local attackers to crash the application by entering an excessively long string into the password field during Oracle connection configuration.

Specifically, an attacker can paste a buffer of 550 repeated characters into the password parameter, which triggers the application to crash due to improper handling of the input length.

Impact Analysis

The impact of this vulnerability is a denial of service condition where the Navicat for Oracle application crashes when the password field receives an excessively long input.

This crash can disrupt database management activities, potentially causing downtime or loss of productivity for users relying on the application.

Since the attack requires local access and no privileges or user interaction, it could be exploited by a local attacker to interrupt service availability.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the denial of service condition on Navicat for Oracle 12.1.15 by supplying an excessively long string in the password field during Oracle connection configuration.

A proof of concept involves generating a payload of 550 repeated characters (e.g., "A" characters) and pasting it into the password field of the Oracle connection setup in Navicat. If the application crashes, the vulnerability is present.

  • Run a Python script to generate a payload of 550 "A" characters.
  • Copy the generated payload to the clipboard.
  • Open Navicat for Oracle 12.1.15 and create a new Oracle connection.
  • Paste the payload into the password field.
  • Attempt to connect and observe if the application crashes.
Mitigation Strategies

Immediate mitigation steps include avoiding the use of Navicat for Oracle version 12.1.15 or earlier until a patch or update is available.

Do not allow untrusted local users to access the system or configure Oracle connections using Navicat, as the vulnerability requires local access.

Monitor for application crashes related to password input and restrict local user permissions to prevent exploitation.

Check for updates or newer versions of Navicat for Oracle that address this vulnerability and apply them as soon as possible.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25653. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart