CVE-2025-70873
Received Received - Intake
Information Disclosure in SQLite zipfileInflate via Crafted ZIP File

Publication date: 2026-03-12

Last updated on: 2026-04-16

Assigner: MITRE

Description
An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70873
EUVD
EUVD-2025-208623
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sqlite sqlite to 3.51.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-244 Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-70873 is an information disclosure vulnerability in the zipfileInflate function of SQLite's zipfile extension. The issue occurs because the function allocates a buffer based on an expected decompressed size from the ZIP file's metadata without initializing it, and then decompresses data into this buffer. However, the final output size is set to the expected size rather than the actual decompressed size, which can be smaller. This causes the returned data to include uninitialized heap memory beyond the actual decompressed data."}, {'type': 'paragraph', 'content': 'As a result, attackers can craft a malicious ZIP file that causes the function to leak residual heap memory contents, potentially exposing sensitive information such as memory addresses. This can aid attackers in bypassing security mechanisms like Address Space Layout Randomization (ASLR) or facilitate exploitation of other memory corruption vulnerabilities.'}, {'type': 'paragraph', 'content': 'The vulnerability affects SQLite versions up to and including 3.51.1 with the zipfile extension enabled, which is typically included by default in the SQLite CLI but not necessarily in all builds.'}] [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an attacker to obtain uninitialized heap memory contents from the SQLite process handling a crafted ZIP file. The leaked memory may contain sensitive information such as heap pointers or memory addresses.

Such information disclosure can help attackers bypass security features like Address Space Layout Randomization (ASLR), making it easier to exploit other vulnerabilities in the system.

However, exploitation requires the attacker to supply a malicious ZIP file to the vulnerable SQLite instance, and the vulnerability cannot be exploited in isolation. The severity is considered low but still poses a risk in environments where untrusted ZIP files are processed.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your system uses a vulnerable version of SQLite (version 3.51.1 or earlier) with the zipfile extension enabled, especially in the SQLite CLI. Since the vulnerability arises from processing crafted ZIP files via the zipfile virtual table, monitoring or testing with crafted ZIP payloads can help detect the issue.'}, {'type': 'paragraph', 'content': 'A practical approach is to run a proof-of-concept SQL query that processes a crafted ZIP file designed to trigger the uninitialized heap memory disclosure. This can reveal if the system is vulnerable by leaking heap pointers or memory addresses.'}, {'type': 'paragraph', 'content': 'While no specific detection commands are provided in the resources, you can check the SQLite version and whether the zipfile extension is enabled by running the following commands in the SQLite CLI:'}, {'type': 'list_item', 'content': 'sqlite3 --version'}, {'type': 'list_item', 'content': "SELECT load_extension('zipfile'); -- to check if the zipfile extension can be loaded"}, {'type': 'paragraph', 'content': 'Additionally, testing with a crafted ZIP file that exploits the vulnerability can be done by creating or obtaining a malicious ZIP payload and querying it through the zipfile virtual table to observe if uninitialized heap memory is disclosed.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update SQLite to a version that includes the fix for this vulnerability. The issue was fixed in a version released on 2026-01-09, after the report on 2025-12-06.'}, {'type': 'paragraph', 'content': 'If updating immediately is not possible, consider disabling or not using the zipfile extension, especially in environments where untrusted ZIP files might be processed.'}, {'type': 'paragraph', 'content': "Ensure that only trusted ZIP files are processed by SQLite's zipfile extension to reduce the risk of exploitation."}, {'type': 'paragraph', 'content': "Monitor SQLite's official channels for patches and apply them promptly."}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart