{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-8865", "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "state": "PUBLISHED", "assignerShortName": "Yugabyte", "dateReserved": "2025-08-11T13:30:55.802Z", "datePublished": "2025-08-11T14:19:02.960Z", "dateUpdated": "2025-08-11T15:04:04.232Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "yugabyte", "platforms": ["MacOS", "Linux", "x86", "ARM"], "product": "YugabyteDB", "vendor": "YugabyteDB Inc", "versions": [{"lessThan": "2024.1.3.0", "status": "affected", "version": "2024.1.0.0", "versionType": "custom"}, {"lessThan": "2024.2.2.5", "status": "affected", "version": "2024.2.0.0", "versionType": "custom"}, {"lessThan": "2.20.9.0", "status": "affected", "version": "2.20.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. <b>An authenticated attacker</b> could exploit this issue to crash the YCQL tablet server, resulting in a denial of service.</span><br>"}], "value": "The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service."}], "impacts": [{"capecId": "CAPEC-215", "descriptions": [{"lang": "en", "value": "CAPEC-215 Fuzzing for application mapping"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 4.1, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "shortName": "Yugabyte", "dateUpdated": "2025-08-11T14:19:02.960Z"}, "references": [{"url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/"}], "source": {"defect": ["DB-259"], "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-11T15:02:48.385333Z", "id": "CVE-2025-8865", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T15:04:04.232Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-11T15:02:48.385333Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T15:02:56.012Z"}}], "cna": {"source": {"defect": ["DB-259"], "discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-215", "descriptions": [{"lang": "en", "value": "CAPEC-215 Fuzzing for application mapping"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.1, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "YugabyteDB Inc", "product": "YugabyteDB", "versions": [{"status": "affected", "version": "2024.1.0.0", "lessThan": "2024.1.3.0", "versionType": "custom"}, {"status": "affected", "version": "2024.2.0.0", "lessThan": "2024.2.2.5", "versionType": "custom"}, {"status": "affected", "version": "2.20.0.0", "lessThan": "2.20.9.0", "versionType": "custom"}], "platforms": ["MacOS", "Linux", "x86", "ARM"], "packageName": "yugabyte", "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. <b>An authenticated attacker</b> could exploit this issue to crash the YCQL tablet server, resulting in a denial of service.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "shortName": "Yugabyte", "dateUpdated": "2025-08-11T14:19:02.960Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8865", "state": "PUBLISHED", "dateUpdated": "2025-08-11T15:04:04.232Z", "dateReserved": "2025-08-11T13:30:55.802Z", "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "datePublished": "2025-08-11T14:19:02.960Z", "assignerShortName": "Yugabyte"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service."}], "id": "CVE-2025-8865", "lastModified": "2025-08-11T18:32:48.867", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-08-11T15:15:29.203", "references": [{"source": "[email protected]", "url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "[email protected]", "type": "Secondary"}]}

{"bugzilla": {"description": "yugabytedb: YugabyteDB null pointer dereference", "id": "2387636", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387636"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.0", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-476", "details": ["A null pointer dereference flaw has been discovered in YugabyteDB. An authenticated attacker could exploit this to crash the YCQL tablet server, resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-8865", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "yugabytedb", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "yugabytedb", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2025-08-11T14:19:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-8865\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-8865\nhttps://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/"], "threat_severity": "Low"}