CVE-2025-46337
published 2025-05-01CVE-2025-46337: ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a…
PriorityP266critical10CVSS 3.1
AVNACLPRNUINSCCHIHAL
EPSS
0.64%
46.0th percentile
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data. This issue has been patched in version 5.22.9.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adodb | adodb | < 5.22.9 | 5.22.9 |
| adodb | adodb-php | >= 0 < 5.22.9 | 5.22.9 |
| debian | libphp-adodb | < libphp-adodb 5.21.4-1+deb12u1 (bookworm) | libphp-adodb 5.21.4-1+deb12u1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered when ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data — monitor for unsanitized user input passed to this function in PHP applications using ADOdb prior to version 5.22.9 ↗
- ·Vulnerability only affects ADOdb installations prior to version 5.22.9 connecting to PostgreSQL backends; other database backends are not affected by this specific issue ↗
- ·Debian bookworm and bullseye carry backported fixes at versions 5.21.4-1+deb12u1 and 5.20.19-1+deb11u2 respectively — version number alone may not indicate patch status on Debian-based systems ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
osv10.0CRITICAL
vendor_debian10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
ADOdb vulnerability
vendor_ubuntu·2025-05-29
CVE-2025-46337 ADOdb vulnerability
Title: ADOdb vulnerability
Summary: ADOdb could be made to crash or run programs if it received
specially crafted input.
It was discovered that ADOdb incorrectly handled SQL input. A remote
attacker could use this issue to execute arbitrary SQL commands.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2025-46337: libphp-adodb - ADOdb is a PHP database class library that provides abstractions for performing ...
vendor_debian·2025·CVSS 10.0
CVE-2025-46337 [CRITICAL] CVE-2025-46337: libphp-adodb - ADOdb is a PHP database class library that provides abstractions for performing ...
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data. This issue has been patched in version 5.22.9.
Scope: local
bookworm: resolved (fixed in 5.21.4-1+deb12u1)
bullseye: resolved (fixed in 5.20.19-1+deb11u2)
forky: resolved (fixed in 5.22.9-0.1)
sid: resolved (fixed in 5.22.9-0.1)
trixie: resolved (fixed in 5.22.9-0.1)
OSV
SQL injection in ADOdb PostgreSQL driver pg_insert_id() method
osv·2025-05-01
CVE-2025-46337 [CRITICAL] SQL injection in ADOdb PostgreSQL driver pg_insert_id() method
SQL injection in ADOdb PostgreSQL driver pg_insert_id() method
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data.
Note that the indicated Severity corresponds to a worst-case usage scenario.
### Impact
PostgreSQL drivers (postgres64, postgres7, postgres8, postgres9).
### Patches
Vulnerability is fixed in ADOdb 5.22.9 (11107d6d6e5160b62e05dff8a3a2678cf0e3a426).
### Workarounds
Only pass controlled data to pg_insert_id() method's $fieldname parameter, or escape it with pg_escape_identifier() first.
### References
- Issue https://github.com/ADOdb/ADOdb/issues/1070
- [Blog post](https://xaliom.blogspot.com/2025/05/from-sast-to-cve-202
GHSA
SQL injection in ADOdb PostgreSQL driver pg_insert_id() method
ghsa·2025-05-01
CVE-2025-46337 [CRITICAL] CWE-89 SQL injection in ADOdb PostgreSQL driver pg_insert_id() method
SQL injection in ADOdb PostgreSQL driver pg_insert_id() method
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data.
Note that the indicated Severity corresponds to a worst-case usage scenario.
### Impact
PostgreSQL drivers (postgres64, postgres7, postgres8, postgres9).
### Patches
Vulnerability is fixed in ADOdb 5.22.9 (11107d6d6e5160b62e05dff8a3a2678cf0e3a426).
### Workarounds
Only pass controlled data to pg_insert_id() method's $fieldname parameter, or escape it with pg_escape_identifier() first.
### References
- Issue https://github.com/ADOdb/ADOdb/issues/1070
- [Blog post](https://xaliom.blogspot.com/2025/05/from-sast-to-cve-202
OSV
CVE-2025-46337: ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases
osv·2025-05-01·CVSS 10.0
CVE-2025-46337 [CRITICAL] CVE-2025-46337: ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data. This issue has been patched in version 5.22.9.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ADOdb/ADOdb/commit/11107d6d6e5160b62e05dff8a3a2678cf0e3a426https://github.com/ADOdb/ADOdb/issues/1070https://github.com/ADOdb/ADOdb/security/advisories/GHSA-8x27-jwjr-8545https://lists.debian.org/debian-lts-announce/2025/05/msg00029.htmlhttps://xaliom.blogspot.com/2025/05/from-sast-to-cve-2025-46337.html
2025-05-01
Published