CVE-2025-21521

High

Published: 21 January 2025

Published

21 January 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0016 36.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21521 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Oracle Mysql Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Applying Oracle patches directly remediates the Thread Pooling vulnerability, preventing unauthenticated network-based DoS exploitation.

SC-5 Denial-of-service Protection good match

prevent

Denial-of-service protection mechanisms such as rate limiting and traffic filtering block exploits targeting MySQL Thread Pooling to cause hangs or crashes.

SC-6 Resource Availability good match

prevent

Resource availability protections limit thread pool resource allocation and exhaustion from unauthenticated network attacks.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote unauthenticated exploitation of the MySQL server to cause resource exhaustion leading to crash or hang, directly facilitating application or system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple…

protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Deeper analysisAI

CVE-2025-21521 is a vulnerability in the Server: Thread Pooling component of Oracle MySQL Server. It affects supported versions 8.0.39 and prior, 8.4.2 and prior, and 9.0.1 and prior. The issue, associated with CWE-770, enables easily exploitable attacks that can compromise the MySQL Server, with a CVSS 3.1 base score of 7.5 (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), primarily impacting availability.

An unauthenticated attacker with network access via multiple protocols can exploit this vulnerability to cause a hang or frequently repeatable crash of the MySQL Server, resulting in a complete denial of service (DoS). No user interaction is required, and there are no impacts on confidentiality or integrity.

Oracle has published a security alert with details on the vulnerability and patches at https://www.oracle.com/security-alerts/cpujan2025.html. NetApp has also issued an advisory addressing the issue at https://security.netapp.com/advisory/ntap-20250124-0010/.