CVE-2025-61019
Deferred Deferred - Pending Action
Denial of Service in Virtuoso Open-Source Database

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: MITRE

Description
An issue in the sqlo_key_part_best component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2025-61019
EUVD
EUVD-2025-210314
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openlink virtuoso-opensource 7.2.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by causing a Denial of Service (DoS) condition on systems running openlink virtuoso-opensource version 7.2.11. An attacker can exploit this flaw by sending crafted SQL queries that crash the database server, potentially making the service unavailable to legitimate users.

Compliance Impact

The provided information does not specify any impact of the vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The vulnerability causes a crash in Virtuoso Open Source 7.2.11 triggered by crafted SQL queries that exploit the sqlo_key_part_best function during query processing.

Immediate mitigation steps include restricting or filtering untrusted or potentially malicious SQL queries to prevent execution of malformed or complex queries that could trigger the crash.

Additionally, running Virtuoso instances in isolated environments such as Docker containers can help contain the impact of any crashes.

Monitoring for updates or patches from the vendor and applying them once available is also recommended.

Executive Summary

The vulnerability CVE-2025-61019 is a flaw in the sqlo_key_part_best component of openlink virtuoso-opensource version 7.2.11. It allows attackers to cause a Denial of Service (DoS) by submitting specially crafted SQL statements.

Specifically, the issue causes a crash in the Virtuoso Open Source 7.2.11 software when processing a malformed SQL query. The crash happens in the function sqlo_key_part_best during query optimization and execution, likely due to out-of-bounds memory access or invalid pointer dereference triggered by complex SQL constructs such as CHECK constraints, UNIQUE constraints, nested CASE expressions, and arithmetic operations.

Detection Guidance

This vulnerability can be detected by running a specific Proof of Concept (PoC) SQL query against a Virtuoso Open Source 7.2.11 instance. The PoC involves executing a series of SQL commands that create a table with complex CHECK and UNIQUE constraints, define a view, and perform a SELECT query with nested CASE expressions and arithmetic operations.

If the system crashes or exhibits a Denial of Service (DoS) behavior during the execution of these commands, it indicates the presence of the vulnerability.

The commands can be run in a Virtuoso instance, for example, using a Docker container setup for testing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61019. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart