CVE-2025-5878
BaseFortify
Publication date: 2025-06-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-138 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5878 is a vulnerability in the ESAPI esapi-java-legacy library, specifically in the Encoder.encodeForSQL method used for SQL Injection Defense. The method fails to properly neutralize special elements in SQL queries, allowing attackers to bypass SQL injection protections and execute malicious SQL commands remotely without authentication. This flaw arises when certain codecs like MySQLCodec in ANSI mode or OracleCodec are used, causing the encoding to be ineffective. The vulnerability is considered high severity and has a public exploit disclosed. The ESAPI project addressed this by disabling the vulnerable method by default and requiring explicit enabling with warnings, and by updating documentation to warn users about the risks. Upgrading to version 2.7.0.0 mitigates the issue. [1, 2, 4, 6]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to perform SQL injection attacks on applications using the affected ESAPI library version. Successful exploitation can compromise the confidentiality, integrity, and availability of the affected system by allowing unauthorized data access, data manipulation, or disruption of service. Since the vulnerability requires no authentication and has low attack complexity, it poses a significant risk to applications relying on the Encoder.encodeForSQL method for SQL injection defense. Attackers can bypass encoding protections and execute arbitrary SQL commands, potentially leading to data breaches or system compromise. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-5878 involves identifying usage of the vulnerable ESAPI esapi-java-legacy library version 2.6.2.0 or earlier, specifically the Encoder.encodeForSQL method. Since the vulnerability relates to SQL injection filtering bypass, monitoring logs for suspicious SQL injection attempts or unusual SQL query patterns may help. Additionally, checking application configurations and code for use of the unsafe encodeForSQL method is recommended. There are no specific network commands provided in the resources, but reviewing application logs and scanning for the vulnerable library version is advised. [4, 6]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the ESAPI esapi-java-legacy library to version 2.7.0.0, which disables the vulnerable Encoder.encodeForSQL method by default and requires explicit enabling with justification if used. Users should update their ESAPI.properties configuration file accordingly, following instructions in Security Bulletin #13. It is strongly recommended to avoid using the encodeForSQL method and instead use safer alternatives such as Prepared Statements with parameterized queries or properly constructed stored procedures. Additionally, reviewing and applying the updated documentation and configuration changes from the 2.7.0.0 release will help ensure proper mitigation. [3, 5, 6]