CVE-2025-24975
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-15

Last updated on: 2025-10-09

Assigner: GitHub, Inc.

Description
Firebird is a relational database. Prior to snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if ExtConnPoolSize is not set equal to 0. If connections stored in ExtConnPool are not verified for presence and suitability of the CryptCallback interface is used when created versus what is available could result in a segfault in the server process. Encrypted databases, accessed by execute statement on external, may be accessed later by an attachment missing a key to that database. In a case when execute statement are chained, segfault may happen. Additionally, the segfault may affect unencrypted databases. This issue has been patched in snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609 and point releases 4.0.6 and 5.0.2. A workaround for this issue involves setting ExtConnPoolSize equal to 0 in firebird.conf.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-15
Last Modified
2025-10-09
Generated
2026-05-27
AI Q&A
2025-08-15
EPSS Evaluated
2026-05-25
NVD
CVE-2025-24975
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
firebirdsql firebird From 4.0.0 (inc) to 4.0.6 (exc)
firebirdsql firebird From 5.0.0 (inc) to 5.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Firebird relational database versions prior to certain snapshot and point releases. If the ExtConnPoolSize setting is not set to 0, connections stored in the external connection pool may not be properly verified for the CryptCallback interface. This can cause a segmentation fault (crash) in the server process. The issue can occur with both encrypted and unencrypted databases, especially when execute statements are chained or when encrypted databases are accessed without the proper key. The vulnerability has been fixed in specific snapshot and point releases, and a workaround is to set ExtConnPoolSize to 0 in the configuration file.


How can this vulnerability impact me? :

This vulnerability can cause the Firebird database server to crash (segmentation fault), potentially leading to denial of service. Additionally, encrypted databases might be accessed by attachments missing the encryption key, which could lead to unauthorized data exposure or corruption. Overall, it can impact database availability and data confidentiality.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, set ExtConnPoolSize equal to 0 in the firebird.conf configuration file. Additionally, update Firebird to one of the patched versions: snapshot versions 4.0.6.3183, 5.0.2.1610, 6.0.0.609, or the corresponding point releases 4.0.6 and 5.0.2.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart