CVE-2025-61020

Deferred Deferred - Pending Action

Denial of Service in Virtuoso Open-Source Database

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: MITRE

Description

An issue in the sqlo_strip_in_join component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-23

Last Modified

2026-06-23

Generated

2026-06-23

AI Q&A

2026-06-23

EPSS Evaluated

N/A

NVD

CVE-2025-61020

EUVD

EUVD-2025-210315

Affected Vendors & Products

Vendor	Product	Version / Range
openlink	virtuoso-opensource	7.2.11

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability exists in the sqlo_strip_in_join component of openlink virtuoso-opensource version 7.2.11. It allows attackers to cause a Denial of Service (DoS) by crafting specific SQL statements that trigger a crash in the software.

The issue was discovered through fuzz testing, which generated a complex SQL query involving operations like UPDATE with a WHERE clause using IN, SELECT, xmlagg, ABS, GROUP BY, and ORDER BY. This query caused the sqlo_strip_in_join function to crash, terminating the process and causing the service to become unavailable.

Impact Analysis

The primary impact of this vulnerability is a Denial of Service (DoS). An attacker can exploit this flaw by sending specially crafted SQL queries that cause the Virtuoso Open Source server to crash.

This crash results in the termination of the database process, making the service unavailable to legitimate users until it is restarted or recovered.

Detection Guidance

This vulnerability can be detected by executing specific crafted SQL queries that trigger the crash in the sqlo_strip_in_join function of Virtuoso Open Source version 7.2.11.

A Proof of Concept (PoC) SQL script is available which reproduces the crash in a controlled environment such as a Docker container.

To detect the vulnerability, you can run the PoC SQL query against your Virtuoso instance and observe if it causes a Denial of Service (process termination or crash).

Use the provided PoC SQL script from the linked GitHub issue to test your system.
Monitor Virtuoso logs and system behavior for crashes or process terminations when executing complex SQL queries involving JOINs, IN clauses, and subqueries.

Compliance Impact

The vulnerability in openlink virtuoso-opensource v7.2.11 causes a Denial of Service (DoS) via crafted SQL statements, impacting availability but not confidentiality or integrity of data.

Since the vulnerability does not affect data confidentiality or integrity, it does not directly lead to violations of data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

However, the DoS impact could affect system availability, which is a component of some compliance frameworks that require maintaining service availability and resilience.

Mitigation Strategies

To mitigate the Denial of Service vulnerability in openlink virtuoso-opensource v7.2.11 caused by crafted SQL statements targeting the sqlo_strip_in_join component, immediate steps include avoiding the execution of complex SQL queries involving JOIN operations or subqueries similar to those described in the Proof of Concept.

Specifically, refrain from running UPDATE statements with complex WHERE clauses using IN, SELECT, xmlagg, ABS, GROUP BY, and ORDER BY operations until a patch or fix is available.

Additionally, consider restricting access to the database to trusted users only and monitor for unusual crashes or process terminations that may indicate exploitation attempts.

Hi! I’m here to help you understand CVE-2025-61020. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-61020

Denial of Service in Virtuoso Open-Source Database

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart