CRITICAL🇵🇱 Wersja polska

CVE-2025-54119

CVSS 10.0v3.1pub. 2025-08-05upd. 2026-04-15

ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.

🤖 AI Analysis
How it works

The vulnerability exists in the metaColumns(), metaForeignKeys() and metaIndexes() methods, which do not properly filter the value passed as the table name ($table). An attacker can provide a crafted table name containing malicious SQL fragments that will be directly embedded in the query sent to the SQLite3 database. Lack of proper escaping means that the supplied payload is interpreted as a syntactic part of the SQL query, not as data.

Impact

An attacker can execute arbitrary SQL commands on the SQLite3 database, leading to disclosure, modification or deletion of data, and in specific configurations also to further system integrity compromise.

Mitigation & patch

Update the ADOdb library to version 5.22.10, where the issue has been fixed. As a workaround until updating, pass only trusted and controlled data to the $table parameter of the metaColumns(), metaForeignKeys() and metaIndexes() methods.

Who is affected

ADOdb in versions 5.22.9 and earlier, only in scenarios where the PHP application connects to SQLite3 database and calls metaColumns(), metaForeignKeys() or metaIndexes() methods with untrusted data as the table name.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References