CVE-2025-61023
Deferred Deferred - Pending Action

Denial of Service in Virtuoso Open-Source Database

Vulnerability report for CVE-2025-61023, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-30

Assigner: MITRE

Description

An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-30
Generated
2026-07-14
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openlink virtuoso-opensource 7.2.11

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the st_compare component of openlink virtuoso-opensource version 7.2.11. It allows attackers to cause a Denial of Service (DoS) by executing specially crafted SQL statements. The issue arises during the execution of SQL queries involving sorting and grouping operations, where the st_compare function crashes, leading to a failure in the database system.

Specifically, a fuzzer discovered that certain complex SQL queries, such as those creating tables with check constraints and inserting data with grouping, trigger a crash in the st_compare function. This crash is related to memory management functions like bsearch and qsort_r, indicating a problem in how the database handles sorting during query execution.

Impact Analysis

This vulnerability can impact you by causing a Denial of Service (DoS) condition in the openlink virtuoso-opensource database system. An attacker can exploit this by sending crafted SQL queries that crash the st_compare function, potentially making the database unavailable or unstable.

As a result, legitimate users may be unable to access or use the database while it is in a crashed or unstable state, leading to service interruptions and potential loss of availability for applications relying on this database.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the crash using crafted SQL queries that trigger the st_compare function. Specifically, executing SQL statements involving table creation with check constraints and complex grouping operations may cause the Denial of Service condition.

One practical approach is to run the Proof of Concept (PoC) SQL query reported in the GitHub issue within a test environment running openlink virtuoso-opensource v7.2.11 or a similar setup, such as a beta Docker image.

  • Use a Docker container with the vulnerable version to safely test the PoC.
  • Execute the problematic SQL query involving table creation with check constraints and complex grouping to observe if the service crashes.
Mitigation Strategies

To mitigate the Denial of Service vulnerability in the st_compare component of openlink virtuoso-opensource v7.2.11, avoid executing or allowing execution of crafted SQL statements that involve complex sorting and grouping operations, especially those similar to the Proof of Concept queries that trigger the crash.

If possible, run the software in a controlled environment such as a Docker container to monitor and limit the impact of potential crashes.

Monitor the official project repository and issue tracker for patches or updates that address this vulnerability and apply them as soon as they become available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61023. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart