CVE-2025-8865

MEDIUM

YugabyteDB 2024.1.0.0-2024.1.2.9, 2024.2.0.0-2024.2.2.4, 2.20.0.0-2.20.8.9 - DoS via YCQL Query Handling

Title source: llm

Description

The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service.

References (1)

Core 1

Core References

Various Sources

https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/

Scores

CVSS v4 4.1

EPSS 0.0015

EPSS Percentile 4.5%

CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (3)

YugabyteDB Inc/YugabyteDB 2.20.0.0 - 2.20.9.0

YugabyteDB Inc/YugabyteDB 2024.1.0.0 - 2024.1.3.0

YugabyteDB Inc/YugabyteDB 2024.2.0.0 - 2024.2.2.5

Published Aug 11, 2025

Tracked Since Feb 18, 2026