Platform
php
Component
adodb/adodb-php
Fixed in
5.22.10
5.22.9
CVE-2025-46337 describes a SQL Injection vulnerability discovered in adodb-php, a popular PHP database abstraction layer. This flaw allows attackers to potentially execute arbitrary SQL statements when connecting to a PostgreSQL database and utilizing the pginsertid() function with user-supplied data. The vulnerability affects versions of adodb-php up to and including 5.22.8, and a patch is available in version 5.22.9.
The impact of this SQL Injection vulnerability is significant, particularly in environments where adodb-php is used to interact with PostgreSQL databases. An attacker could exploit this flaw to bypass authentication, read sensitive data (such as usernames, passwords, and financial information), modify database records, or even execute arbitrary commands on the underlying server. The severity is amplified by the widespread use of adodb-php in various web applications and the potential for cascading impacts if the database contains critical business data. Successful exploitation could lead to data breaches, denial of service, and complete compromise of the affected system.
While no active exploitation campaigns have been publicly reported as of the publication date (2025-05-01), the CRITICAL severity of this vulnerability warrants immediate attention. The ease of exploitation, combined with the widespread use of adodb-php, makes it a potential target. The vulnerability is not currently listed on CISA KEV, but its severity suggests it could be added in the future. Public proof-of-concept exploits are not yet available, but the vulnerability's nature makes it likely that such exploits will emerge.
Exploit Status
EPSS
0.52% (67% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-46337 is to upgrade to adodb-php version 5.22.9 or later, which contains the fix. If upgrading is not immediately feasible, a workaround involves carefully controlling the data passed to the pginsertid() method’s $fieldname parameter. Specifically, ensure that only trusted data is used, or escape the user-supplied input using the pgescapeidentifier() function before passing it to pginsertid(). This prevents malicious SQL code from being injected into the query. After upgrading, confirm the fix by attempting to inject a simple SQL statement through the vulnerable parameter and verifying that it is properly sanitized.
Update the ADOdb library to version 5.22.9 or higher. This will fix the SQL injection vulnerability in the pg_insert_id() method. You can update the library using Composer if you are managing it with it, or by downloading the latest version from the official website and replacing the old files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-46337 is a critical SQL Injection vulnerability affecting adodb-php versions up to 5.22.8. It allows attackers to execute arbitrary SQL commands when using pginsertid() with unsanitized user input in PostgreSQL connections.
You are affected if you are using adodb-php version 5.22.8 or earlier and connecting to a PostgreSQL database using the pginsertid() function with user-supplied data.
Upgrade to adodb-php version 5.22.9 or later. Alternatively, escape user input with pgescapeidentifier() before passing it to pginsertid().
No active exploitation campaigns have been publicly reported, but the vulnerability's severity makes it a potential target.
Refer to the adodb-php project's release notes and security advisories on their official website or GitHub repository.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.