CVE-2025-50091 is a vulnerability identified in Oracle Corporation's MySQL Server, specifically affecting the Server Optimizer component. The affected versions include 8.0.0 through 8.0.42, 8.4.0 through 8.4.5, and 9.0.0 through 9.3.0. This vulnerability allows a high-privileged attacker with network access to exploit multiple protocols to compromise the MySQL Server. The nature of the vulnerability is a denial-of-service (DoS) condition, where an attacker can cause the server to hang or crash repeatedly, resulting in complete service unavailability. The CVSS 3.1 base score is 4.9, indicating a medium severity primarily due to availability impact. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), but demands high privileges (PR:H) and no user interaction (UI:N). The scope is unchanged (S:U), and there is no impact on confidentiality or integrity, only availability (C:N/I:N/A:H). The underlying weakness is classified under CWE-400, which relates to uncontrolled resource consumption leading to DoS. No known exploits are currently reported in the wild, and no patches are linked yet. This vulnerability is easily exploitable by attackers who already have high privileges and network access, making it a significant concern for environments where MySQL servers are exposed or accessible by privileged users over the network. The potential for repeated crashes or hangs can disrupt database availability, impacting dependent applications and services.

For European organizations, the impact of CVE-2025-50091 centers on availability disruption of MySQL Server instances. Many enterprises, public sector bodies, and service providers in Europe rely heavily on MySQL for critical applications, including e-commerce, financial services, healthcare, and government databases. A successful exploitation could lead to denial of service, causing downtime, loss of business continuity, and potential cascading effects on dependent systems. Although the vulnerability does not compromise data confidentiality or integrity, the loss of availability can result in operational delays, customer dissatisfaction, and financial losses. Organizations with MySQL servers exposed to internal or external networks, especially those with privileged users who can access the server remotely, are at higher risk. The medium severity score reflects that while the impact is significant, exploitation requires high privileges, limiting the attack surface to insiders or attackers who have already escalated privileges. However, in environments with weak internal controls or compromised credentials, this vulnerability could be leveraged to cause substantial disruption.

To mitigate CVE-2025-50091, European organizations should take the following specific actions: 1) Restrict network access to MySQL servers strictly to trusted hosts and networks using firewalls and network segmentation to minimize exposure. 2) Enforce the principle of least privilege by ensuring that only necessary users have high privileges on MySQL servers, and regularly audit privileged accounts and their access patterns. 3) Monitor MySQL server logs and network traffic for unusual activity that could indicate attempts to exploit resource exhaustion or DoS conditions. 4) Apply any available patches or updates from Oracle as soon as they are released; in the absence of patches, consider temporary workarounds such as limiting query complexity or connection rates to reduce resource consumption. 5) Implement robust incident response plans to quickly detect and recover from MySQL service disruptions. 6) Use MySQL configuration options to limit resource usage per connection or query where possible to mitigate the impact of resource exhaustion. 7) Conduct regular security assessments and penetration tests focusing on privilege escalation and DoS attack vectors within the MySQL environment.