CVE-2025-61018

Deferred Deferred - Pending Action

Denial of Service in Virtuoso Open-Source Database

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: MITRE

Description

An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-23

Last Modified

2026-06-23

Generated

2026-06-23

AI Q&A

2026-06-23

EPSS Evaluated

N/A

NVD

CVE-2025-61018

EUVD

EUVD-2025-210313

Affected Vendors & Products

Vendor	Product	Version / Range
openlink	virtuoso-opensource	7.2.11

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Compliance Impact

The vulnerability in openlink virtuoso-opensource v7.2.11 allows an attacker to cause a Denial of Service (DoS) via crafted SQL statements, impacting availability.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, a Denial of Service affecting availability could potentially impact compliance with regulations that require systems to maintain availability and reliability.

However, there is no direct information provided about how this vulnerability specifically affects compliance with these standards.

Impact Analysis

This vulnerability can impact you by causing a Denial of Service (DoS) condition in the openlink virtuoso-opensource database system. An attacker can exploit this by sending crafted SQL queries that crash the database server, potentially making your database unavailable and disrupting any services or applications relying on it.

Executive Summary

This vulnerability exists in the sqlo_place_dt_set component of openlink virtuoso-opensource version 7.2.11. It allows attackers to cause a Denial of Service (DoS) by submitting specially crafted SQL statements that trigger a crash in the system.

The issue was discovered through fuzz testing, where a specific SQL query involving creating a table with a REAL column and performing an UPDATE with a nested SELECT causes the crash. The crash occurs in the sqlo_place_dt_set function, leading to the application becoming unresponsive.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the crash using the specific SQL query that triggers the issue in the sqlo_place_dt_set function of Virtuoso 7.2.11.

The detection involves running a crafted SQL query that creates a table with a REAL column and performs an UPDATE operation with a nested SELECT statement, which was identified by a DBMS fuzzer.

The reporter provided steps to reproduce the issue using a Docker container, including commands to remove an old container, start a new one, and execute the problematic SQL query.

Remove old Docker container: docker rm -f virtuoso-test
Start a new Docker container with the beta image: docker run -d --name virtuoso-test openlink/virtuoso-opensource:beta
Execute the problematic SQL query inside the container to trigger the crash.

Mitigation Strategies

To mitigate the Denial of Service vulnerability in openlink virtuoso-opensource v7.2.11 caused by crafted SQL statements targeting the sqlo_place_dt_set component, you should avoid executing untrusted or crafted SQL queries that could trigger the crash.

Additionally, consider using the beta Docker image mentioned in the report to reproduce and understand the issue in a controlled environment.

Monitor the official repository or issue tracker for patches or updates addressing this vulnerability and apply them as soon as they become available.

Hi! I’m here to help you understand CVE-2025-61018. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-61018

Denial of Service in Virtuoso Open-Source Database

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart