CVE-2025-54119

ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54119.json",
    "cwe_ids": [
        "CWE-89"
    ]
}

References

Affected packages

Git / github.com/adodb/adodb

Affected ranges

Type: GIT
Repo: https://github.com/adodb/adodb
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

38ce257600e67b1e854f2e9054166569cff4bf6b

Affected versions

v5.*

v5.00beta

v5.01beta

v5.02

v5.02a

v5.03

v5.04

v5.05

v5.06

v5.07

v5.08

v5.08a

v5.09

v5.09a

v5.10

v5.11

v5.12

v5.13

v5.14

v5.15

v5.16

v5.16a

v5.17

v5.18

v5.18a

v5.19

v5.20.0

v5.20.1

v5.20.10

v5.20.11

v5.20.12

v5.20.13

v5.20.14

v5.20.15

v5.20.16

v5.20.17

v5.20.18

v5.20.19

v5.20.2

v5.20.20

v5.20.21

v5.20.3

v5.20.4

v5.20.5

v5.20.6

v5.20.7

v5.20.8

v5.20.9

v5.21.0

v5.21.0-beta.1

v5.21.0-rc.1

v5.21.1

v5.21.2

v5.21.3

v5.21.4

v5.22.0

v5.22.1

v5.22.2

v5.22.3

v5.22.4

v5.22.5

v5.22.6

v5.22.7

v5.22.8

v5.22.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54119.json"