{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-8865", "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "state": "PUBLISHED", "assignerShortName": "Yugabyte", "dateReserved": "2025-08-11T13:30:55.802Z", "datePublished": "2025-08-11T14:19:02.960Z", "dateUpdated": "2025-08-11T15:04:04.232Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "yugabyte", "platforms": ["MacOS", "Linux", "x86", "ARM"], "product": "YugabyteDB", "vendor": "YugabyteDB Inc", "versions": [{"lessThan": "2024.1.3.0", "status": "affected", "version": "2024.1.0.0", "versionType": "custom"}, {"lessThan": "2024.2.2.5", "status": "affected", "version": "2024.2.0.0", "versionType": "custom"}, {"lessThan": "2.20.9.0", "status": "affected", "version": "2.20.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. <b>An authenticated attacker</b> could exploit this issue to crash the YCQL tablet server, resulting in a denial of service.</span><br>"}], "value": "The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service."}], "impacts": [{"capecId": "CAPEC-215", "descriptions": [{"lang": "en", "value": "CAPEC-215 Fuzzing for application mapping"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 4.1, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "shortName": "Yugabyte", "dateUpdated": "2025-08-11T14:19:02.960Z"}, "references": [{"url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/"}], "source": {"defect": ["DB-259"], "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-11T15:02:48.385333Z", "id": "CVE-2025-8865", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T15:04:04.232Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-11T15:02:48.385333Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T15:02:56.012Z"}}], "cna": {"source": {"defect": ["DB-259"], "discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-215", "descriptions": [{"lang": "en", "value": "CAPEC-215 Fuzzing for application mapping"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.1, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "YugabyteDB Inc", "product": "YugabyteDB", "versions": [{"status": "affected", "version": "2024.1.0.0", "lessThan": "2024.1.3.0", "versionType": "custom"}, {"status": "affected", "version": "2024.2.0.0", "lessThan": "2024.2.2.5", "versionType": "custom"}, {"status": "affected", "version": "2.20.0.0", "lessThan": "2.20.9.0", "versionType": "custom"}], "platforms": ["MacOS", "Linux", "x86", "ARM"], "packageName": "yugabyte", "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. <b>An authenticated attacker</b> could exploit this issue to crash the YCQL tablet server, resulting in a denial of service.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "shortName": "Yugabyte", "dateUpdated": "2025-08-11T14:19:02.960Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8865", "state": "PUBLISHED", "dateUpdated": "2025-08-11T15:04:04.232Z", "dateReserved": "2025-08-11T13:30:55.802Z", "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "datePublished": "2025-08-11T14:19:02.960Z", "assignerShortName": "Yugabyte"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service."}, {"lang": "es", "value": "El servidor de tabletas YugabyteDB presenta una falla en el manejo de consultas YCQL que puede provocar una desreferencia de puntero nulo al procesar ciertas entradas malformadas. Un atacante autenticado podr\u00eda aprovechar esta falla para bloquear el servidor de tabletas YCQL y provocar una denegaci\u00f3n de servicio."}], "id": "CVE-2025-8865", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@yugabyte.com", "type": "Secondary"}]}, "published": "2025-08-11T15:15:29.203", "references": [{"source": "security@yugabyte.com", "url": "https://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/"}], "sourceIdentifier": "security@yugabyte.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security@yugabyte.com", "type": "Secondary"}]}

{"bugzilla": {"description": "yugabytedb: YugabyteDB null pointer dereference", "id": "2387636", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387636"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.0", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-476", "details": ["A null pointer dereference flaw has been discovered in YugabyteDB. An authenticated attacker could exploit this to crash the YCQL tablet server, resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-8865", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "yugabytedb", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "yugabytedb", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2025-08-11T14:19:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-8865\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-8865\nhttps://docs.yugabyte.com/preview/secure/vulnerability-disclosure-policy/"], "threat_severity": "Low"}

{"created": "2025-08-12T11:47:03.927567+00:00", "updated": "2025-08-12T11:47:03.927634+00:00", "vendors": ["yugabyte", "yugabyte$PRODUCT$yugabytedb"]}