Plataforma
php
Componente
adodb/adodb-php
Corrigido em
5.22.10
5.22.9
CVE-2025-46337 describes a SQL Injection vulnerability discovered in adodb-php, a popular PHP database abstraction layer. This flaw allows attackers to potentially execute arbitrary SQL statements when connecting to a PostgreSQL database and utilizing the pginsertid() function with user-supplied data. The vulnerability affects versions of adodb-php up to and including 5.22.8, and a patch is available in version 5.22.9.
The impact of this SQL Injection vulnerability is significant, particularly in environments where adodb-php is used to interact with PostgreSQL databases. An attacker could exploit this flaw to bypass authentication, read sensitive data (such as usernames, passwords, and financial information), modify database records, or even execute arbitrary commands on the underlying server. The severity is amplified by the widespread use of adodb-php in various web applications and the potential for cascading impacts if the database contains critical business data. Successful exploitation could lead to data breaches, denial of service, and complete compromise of the affected system.
While no active exploitation campaigns have been publicly reported as of the publication date (2025-05-01), the CRITICAL severity of this vulnerability warrants immediate attention. The ease of exploitation, combined with the widespread use of adodb-php, makes it a potential target. The vulnerability is not currently listed on CISA KEV, but its severity suggests it could be added in the future. Public proof-of-concept exploits are not yet available, but the vulnerability's nature makes it likely that such exploits will emerge.
Applications utilizing adodb-php to connect to PostgreSQL databases are at risk. This includes web applications, content management systems (CMS), and other software that relies on adodb-php for database interaction. Specifically, applications with legacy codebases or those that haven't implemented robust input validation are particularly vulnerable.
• php: Examine code using pginsertid() with user-supplied data. Search for instances where user input is directly passed to this function without proper sanitization.
• php: Review adodb-php library version. Check for versions prior to 5.22.9 using php -m | grep adodb.
• generic web: Monitor PostgreSQL database logs for unusual SQL queries or errors related to pginsertid().
• generic web: Check application logs for errors indicating SQL injection attempts.
• generic web: Use a web application firewall (WAF) to detect and block SQL injection attempts targeting the affected endpoint.
disclosure
Status do Exploit
EPSS
0.52% (percentil 67%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-46337 is to upgrade to adodb-php version 5.22.9 or later, which contains the fix. If upgrading is not immediately feasible, a workaround involves carefully controlling the data passed to the pginsertid() method’s $fieldname parameter. Specifically, ensure that only trusted data is used, or escape the user-supplied input using the pgescapeidentifier() function before passing it to pginsertid(). This prevents malicious SQL code from being injected into the query. After upgrading, confirm the fix by attempting to inject a simple SQL statement through the vulnerable parameter and verifying that it is properly sanitized.
Actualice la biblioteca ADOdb a la versión 5.22.9 o superior. Esto corregirá la vulnerabilidad de inyección SQL en el método pg_insert_id(). Puede actualizar la biblioteca utilizando Composer si la está gestionando con él, o descargando la última versión desde el sitio web oficial y reemplazando los archivos antiguos.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-46337 is a critical SQL Injection vulnerability affecting adodb-php versions up to 5.22.8. It allows attackers to execute arbitrary SQL commands when using pginsertid() with unsanitized user input in PostgreSQL connections.
You are affected if you are using adodb-php version 5.22.8 or earlier and connecting to a PostgreSQL database using the pginsertid() function with user-supplied data.
Upgrade to adodb-php version 5.22.9 or later. Alternatively, escape user input with pgescapeidentifier() before passing it to pginsertid().
No active exploitation campaigns have been publicly reported, but the vulnerability's severity makes it a potential target.
Refer to the adodb-php project's release notes and security advisories on their official website or GitHub repository.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.