GHSA-vf2r-cxg9-p7rf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vf2r-cxg9-p7rf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-vf2r-cxg9-p7rf/GHSA-vf2r-cxg9-p7rf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vf2r-cxg9-p7rf
- Aliases
- Published
- 2025-08-04T15:12:03Z
- Modified
- 2025-08-05T17:35:04.594112Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
- Summary
- The ADOdb sqlite3 driver allows SQL injection
- Details
-
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name.
Note that the indicated Severity corresponds to a worst-case usage scenario, e.g. allowing user-supplied data to be sent as-is to the above-mentioned methods.
Impact
SQLite3 driver.
Patches
Vulnerability is fixed in ADOdb 5.22.10 (https://github.com/ADOdb/ADOdb/commit/5b8bd52cdcffefb4ecded1b399c98cfa516afe03).
Workarounds
Only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.
Credits
Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.
- Database specific
{ "github_reviewed": true, "severity": "CRITICAL", "github_reviewed_at": "2025-08-04T15:12:03Z", "cwe_ids": [ "CWE-89" ], "nvd_published_at": "2025-08-05T01:15:41Z" }- References
Affected packages
Packagist / adodb/adodb-php
Package
- Name
- adodb/adodb-php
- Purl
- pkg:composer/adodb/adodb-php
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.22.10
Affected versions
v5.*
v5.19
v5.20.0
v5.20.1
v5.20.2
v5.20.3
v5.20.4
v5.20.5
v5.20.6
v5.20.7
v5.20.8
v5.20.9
v5.20.10
v5.20.11
v5.20.12
v5.20.13
v5.20.14
v5.20.15
v5.20.16
v5.20.17
v5.20.18
v5.20.19
v5.20.20
v5.20.21
v5.21.0-beta.1
v5.21.0-rc.1
v5.21.0
v5.21.1
v5.21.2
v5.21.3
v5.21.4
v5.22.0
v5.22.1
v5.22.2
v5.22.3
v5.22.4
v5.22.5
v5.22.6
v5.22.7
v5.22.8
v5.22.9