Platform
php
Component
adodb/adodb-php
Fixed in
5.22.11
5.22.10
CVE-2025-54119 is a critical SQL Injection vulnerability discovered in ADOdb PHP, a widely used database abstraction layer. This flaw allows attackers to inject malicious SQL code when the ADOdb library connects to a SQLite3 database and utilizes the metaColumns(), metaForeignKeys(), or metaIndexes() methods with a specially crafted table name. The vulnerability's impact is severe, potentially enabling unauthorized data access and modification. Affected versions include those prior to 5.22.10; a patch is available.
The SQL Injection vulnerability in ADOdb PHP allows an attacker to bypass normal security controls and directly manipulate the SQLite3 database. By crafting a malicious table name, an attacker can inject arbitrary SQL commands, potentially leading to complete database compromise. This could involve extracting sensitive data like user credentials, financial records, or application configuration details. Furthermore, an attacker could modify or delete data, disrupt application functionality, or even gain control of the underlying server if the database user has sufficient privileges. The worst-case scenario involves an attacker gaining full control over the database and potentially the entire system, similar to scenarios where SQL Injection is used to escalate privileges and execute operating system commands.
CVE-2025-54119 was published on 2025-08-04. The vulnerability's critical CVSS score (10) indicates a high probability of exploitation. As of this writing, there are no publicly available Proof-of-Concept (POC) exploits, but the ease of exploitation given the vulnerability type suggests that POCs are likely to emerge. The vulnerability is not currently listed on CISA KEV, but its severity warrants monitoring. Organizations using ADOdb PHP should prioritize patching to prevent potential exploitation.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-54119 is to upgrade ADOdb PHP to version 5.22.10 or later, which includes a fix for the vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. Input validation and sanitization of table names used in metaColumns(), metaForeignKeys(), and metaIndexes() calls is crucial. Employing parameterized queries or prepared statements, where possible, can also help prevent SQL Injection. Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts can provide an additional layer of defense. After upgrading to 5.22.10, verify the fix by attempting to trigger the vulnerability with a crafted table name and confirming that the SQL injection is prevented.
Actualice la biblioteca ADOdb a la versión 5.22.10 o superior. Como alternativa, asegúrese de que los datos pasados al parámetro $table de los métodos metaColumns(), metaForeignKeys() y metaIndexes() estén controlados y sean seguros para prevenir la inyección SQL.
Vulnerability analysis and critical alerts directly to your inbox.
It's a critical SQL Injection vulnerability in ADOdb PHP affecting versions before 5.22.10. Attackers can inject SQL code via crafted table names when using SQLite3.
If you're using ADOdb PHP version 5.22.9 or earlier, you are vulnerable. Check your dependencies and update immediately.
Upgrade ADOdb PHP to version 5.22.10 or later. Implement input validation as a temporary workaround if immediate upgrade isn't possible.
No public exploits are currently known, but the vulnerability's severity suggests potential for exploitation. Monitor for updates.
Refer to the ADOdb GitHub commit: https://github.com/ADOdb/ADOdb/commit/5b8bd52cdcffefb4ecded1b399c98cfa516afe03 for details and the NVD entry when available.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.