CVE-2025-54119
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-11-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adodb | adodb | 5.22.9 |
| adodb | adodb | 5.22.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54119 is a critical SQL injection vulnerability in the ADOdb PHP library's sqlite3 driver affecting versions up to 5.22.9. The issue occurs because the library improperly escapes query parameters when calling the metaColumns(), metaForeignKeys(), or metaIndexes() methods with a crafted table name. This improper sanitization allows an attacker to execute arbitrary SQL statements on the sqlite3 database if untrusted data is passed directly to these methods without validation. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized disclosure of sensitive data, unauthorized modification of data, and limited disruption of service availability. It can be exploited remotely without any authentication or user interaction, making it highly dangerous. An attacker can execute arbitrary SQL commands on the affected database, potentially compromising the confidentiality, integrity, and availability of the data. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively affect compliance with standards and regulations such as GDPR and HIPAA because it allows unauthorized access and modification of sensitive data. Exploitation could lead to data breaches involving personal or protected health information, violating data protection and privacy requirements mandated by these regulations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system is running ADOdb versions 5.22.9 or below and if the application uses the metaColumns(), metaForeignKeys(), or metaIndexes() methods with untrusted or unsanitized table name inputs. There are no specific network detection commands provided, but you can audit your codebase for usage of these methods with dynamic table names. Additionally, monitoring for unusual SQL queries or errors related to these methods in logs may help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade ADOdb to version 5.22.10 or later where the issue is fixed. As a workaround, ensure that only controlled and validated data is passed to the $table parameter of the metaColumns(), metaForeignKeys(), and metaIndexes() methods to prevent SQL injection. Avoid passing user-supplied or untrusted input directly to these methods. [1, 2]