CVE-2025-54119 – adodb/adodb-php

Package

Manager: composer
Name: adodb/adodb-php
Vulnerable Version: >=0 <5.22.10

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

EPSS: 0.00063 pctl0.19839

Details

The ADOdb sqlite3 driver allows SQL injection Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. Note that the indicated Severity corresponds to a worst-case usage scenario, e.g. allowing user-supplied data to be sent as-is to the above-mentioned methods. ### Impact SQLite3 driver. ### Patches Vulnerability is fixed in ADOdb 5.22.10 (https://github.com/ADOdb/ADOdb/commit/5b8bd52cdcffefb4ecded1b399c98cfa516afe03). ### Workarounds Only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter. ### Credits Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.

Metadata

Created: 2025-08-04T15:12:03Z
Modified: 2025-08-05T17:09:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-vf2r-cxg9-p7rf/GHSA-vf2r-cxg9-p7rf.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-vf2r-cxg9-p7rf
Finding: F297
Auto approve: 1