Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable, low-complexity DoS, but submitting SQL typically needs a database session so PR:L; availability-only impact (A:H), no confidentiality or integrity effect.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
AnalysisAI
Denial of service in OpenLink Virtuoso (open-source edition) v7.2.11 allows attackers to crash the database server by submitting crafted SQL statements that mishandle the internal st_compare comparison routine. The flaw affects availability only (CVSS A:H, no confidentiality or integrity impact) and carries a 7.5 base score; EPSS is low (0.15%, 5th percentile) with no public exploit identified at time of analysis and no CISA KEV listing. Despite the CWE-89 (SQL Injection) classification, the reported effect is a service crash rather than data manipulation or extraction.
Technical ContextAI
Virtuoso is OpenLink's multi-model database server combining a relational SQL engine with an RDF triplestore and SPARQL/SPARQL-over-SQL endpoints, commonly used as a backend for linked-data and semantic-web deployments. The defect lives in the st_compare component - an internal value/sort comparison routine invoked during SQL query processing - where a crafted statement drives the comparison logic into an error state (e.g., type mishandling, null/structure dereference, or unbounded resource use) that terminates the server process. The assigned CWE-89 (Improper Neutralization of Special Elements in an SQL Command) flags this as an SQL-injection class issue, but the documented consequence is denial of service via the SQL parser/executor rather than classic injection-driven data disclosure; this CWE-vs-impact mismatch should be treated as a tagging artifact pending vendor confirmation. The CPE provided (cpe:2.3:a:n/a:n/a:*) is a placeholder and does not concretely identify the product, so version scoping relies on the description's explicit mention of v7.2.11.
RemediationAI
No vendor-released patch identified at time of analysis; the only upstream artifact is the bug report at https://github.com/openlink/virtuoso-opensource/issues/1230, so monitor that issue and the OpenLink virtuoso-opensource releases for a fixed tag and upgrade as soon as one is published. As compensating controls until a fix ships, restrict who can submit SQL to the server: enforce database authentication and least-privilege accounts, and disable or firewall any anonymous SQL-capable access paths (e.g., block external access to the SQL listener port and restrict the HTTP/SPARQL endpoints to trusted clients), accepting that locking down SPARQL/HTTP access may break public linked-data consumers. Place Virtuoso behind a reverse proxy or query gateway that can rate-limit and reject malformed statements, and ensure the process runs under a supervisor (systemd/restart policy) so a crash auto-recovers - noting this mitigates downtime but not the repeated-crash DoS itself. Validate the NVD/EUVD entries (https://nvd.nist.gov/vuln/detail/CVE-2025-61023) for an updated fixed version before relying on these workarounds.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-89 – SQL Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210318
GHSA-fgcp-r4fm-q7gx