CVE-2025-61022

An attacker can trigger a denial-of-service by executing a crafted SQL statement that combines a `LEFT JOIN` with a `CONTAINS` function call referencing a column alias from the joined table. The statement `CREATE TABLE v2 ( v3 INTEGER ) ; SELECT * FROM v2 LEFT JOIN v2 AS constraintdef ON v2 . v3 = v2 . v3 AND contains ( v3 , 'A/B-move/C-move' ) ;` causes a null-pointer dereference or out-of-bounds access in `sqlo_tb_col_preds` [ref_id=1]. No authentication or special privileges beyond the ability to run SQL statements are required.

The crash occurs in `sqlo_tb_col_preds` (frame #0) when processing a `LEFT JOIN` with a `CONTAINS` predicate on a column alias. The call chain passes through `sqlo_place_table`, `sqlo_leaves`, `sqlo_layout_sort_tables`, and `sqlo_layout_1` before reaching the crashing function [ref_id=1].

No patch has been published for this issue. The advisory [ref_id=1] only documents the crash and provides reproduction steps. The vendor has not yet released a fix, so the vulnerability remains unpatched in virtuoso-opensource v7.2.11.

```sql CREATE TABLE v2 ( v3 INTEGER ) ; SELECT * FROM v2 LEFT JOIN v2 AS constraintdef ON v2 . v3 = v2 . v3 AND contains ( v3 , 'A/B-move/C-move' ) ; ``` Run the above SQL against a Virtuoso 7.2.11 instance. The advisory also provides Docker-based reproduction steps: write the PoC to `/tmp/test.sql`, then run `cat /tmp/test.sql | docker exec -i virtdb_test isql 1111 dba` [ref_id=1].