CVE-2025-61020

An attacker can send a crafted SQL UPDATE statement with a subquery that uses `xmlagg` and `ABS` inside an `IN` clause, as shown in the PoC [ref_id=1]. The statement is processed during query compilation, where `sqlo_strip_in_join` enters deep recursion (backtrace shows 8+ recursive calls at the same offset) leading to a stack overflow or crash. No authentication is required beyond the ability to execute SQL statements against the database.

The crash occurs in the `sqlo_strip_in_join` function (backtrace frames #0–#8) and is triggered during query compilation via `sqlc_update_searched` → `sql_stmt_comp` → `sqlo_query_spec` → `sqlo_top_2` → `sqlo_layout` → `sqlo_layout_1` → `sqlo_try` → `sqlo_try_in_loop` → `sqlo_strip_in_join` [ref_id=1]. The recursive call pattern (frames #1–#8 all at the same offset 0x433 in `sqlo_strip_in_join`) indicates unbounded recursion or infinite looping in that function.

The advisory does not include a patch or fix description [ref_id=1]. The issue is reported as an open GitHub issue with no linked pull request or commit. Remediation would likely require adding a recursion depth limit or loop guard in `sqlo_strip_in_join` to prevent unbounded recursion when processing nested subqueries in `IN` clauses.

```sql CREATE TABLE v0 ( v1 nvarchar ) ; UPDATE v0 SET v1 = v1 + 1 WHERE v1 IN ( SELECT xmlagg ( ABS ( 9 ) ) FROM v0 GROUP BY v1 ORDER BY v1 ) ; ``` Save to `/tmp/test.sql`, then run: ``` docker container rm virtdb_test -f docker run --name virtdb_test -itd --env DBA_PASSWORD=dba pkleef/virtuoso-opensource-7 sleep 10 echo "SELECT 1;" | docker exec -i virtdb_test isql 1111 dba cat /tmp/test.sql | docker exec -i virtdb_test isql 1111 dba ``` [ref_id=1]