CVE-2025-70873
Information Disclosure in SQLite zipfileInflate via Crafted ZIP File
Publication date: 2026-03-12
Last updated on: 2026-04-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sqlite | sqlite | to 3.51.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-244 | Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-70873 is an information disclosure vulnerability in the zipfileInflate function of SQLite's zipfile extension. The issue occurs because the function allocates a buffer based on an expected decompressed size from the ZIP file's metadata without initializing it, and then decompresses data into this buffer. However, the final output size is set to the expected size rather than the actual decompressed size, which can be smaller. This causes the returned data to include uninitialized heap memory beyond the actual decompressed data."}, {'type': 'paragraph', 'content': 'As a result, attackers can craft a malicious ZIP file that causes the function to leak residual heap memory contents, potentially exposing sensitive information such as memory addresses. This can aid attackers in bypassing security mechanisms like Address Space Layout Randomization (ASLR) or facilitate exploitation of other memory corruption vulnerabilities.'}, {'type': 'paragraph', 'content': 'The vulnerability affects SQLite versions up to and including 3.51.1 with the zipfile extension enabled, which is typically included by default in the SQLite CLI but not necessarily in all builds.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to obtain uninitialized heap memory contents from the SQLite process handling a crafted ZIP file. The leaked memory may contain sensitive information such as heap pointers or memory addresses.
Such information disclosure can help attackers bypass security features like Address Space Layout Randomization (ASLR), making it easier to exploit other vulnerabilities in the system.
However, exploitation requires the attacker to supply a malicious ZIP file to the vulnerable SQLite instance, and the vulnerability cannot be exploited in isolation. The severity is considered low but still poses a risk in environments where untrusted ZIP files are processed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your system uses a vulnerable version of SQLite (version 3.51.1 or earlier) with the zipfile extension enabled, especially in the SQLite CLI. Since the vulnerability arises from processing crafted ZIP files via the zipfile virtual table, monitoring or testing with crafted ZIP payloads can help detect the issue.'}, {'type': 'paragraph', 'content': 'A practical approach is to run a proof-of-concept SQL query that processes a crafted ZIP file designed to trigger the uninitialized heap memory disclosure. This can reveal if the system is vulnerable by leaking heap pointers or memory addresses.'}, {'type': 'paragraph', 'content': 'While no specific detection commands are provided in the resources, you can check the SQLite version and whether the zipfile extension is enabled by running the following commands in the SQLite CLI:'}, {'type': 'list_item', 'content': 'sqlite3 --version'}, {'type': 'list_item', 'content': "SELECT load_extension('zipfile'); -- to check if the zipfile extension can be loaded"}, {'type': 'paragraph', 'content': 'Additionally, testing with a crafted ZIP file that exploits the vulnerability can be done by creating or obtaining a malicious ZIP payload and querying it through the zipfile virtual table to observe if uninitialized heap memory is disclosed.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update SQLite to a version that includes the fix for this vulnerability. The issue was fixed in a version released on 2026-01-09, after the report on 2025-12-06.'}, {'type': 'paragraph', 'content': 'If updating immediately is not possible, consider disabling or not using the zipfile extension, especially in environments where untrusted ZIP files might be processed.'}, {'type': 'paragraph', 'content': "Ensure that only trusted ZIP files are processed by SQLite's zipfile extension to reduce the risk of exploitation."}, {'type': 'paragraph', 'content': "Monitor SQLite's official channels for patches and apply them promptly."}] [1, 2, 3]