CVE-2025-54119
published 2025-08-05CVE-2025-54119: ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping…
PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAL
EPSS
0.46%
36.7th percentile
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adodb | adodb | < 5.22.10 | 5.22.10 |
| adodb | adodb-php | >= 0 < 5.22.10 | 5.22.10 |
| debian | libphp-adodb | < libphp-adodb 5.21.4-1+deb12u2 (bookworm) | libphp-adodb 5.21.4-1+deb12u2 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts targeting ADOdb SQLite3 driver via crafted table name passed to metaColumns(), metaForeignKeys(), or metaIndexes() methods — look for SQL injection payloads in the $table parameter of these calls ↗
- →Flag ADOdb versions 5.22.9 and below in software inventory as vulnerable; prioritize instances connecting to sqlite3 databases ↗
- ·Vulnerability is only exploitable when ADOdb connects to a sqlite3 database backend — other database drivers are not affected ↗
- ·Workaround (if patching to 5.22.10 is not immediately possible): ensure only trusted/controlled data is passed to the $table parameter of metaColumns(), metaForeignKeys(), and metaIndexes() ↗
- ·Debian-specific fixed versions differ by release: bookworm fixed in 5.21.4-1+deb12u2, bullseye fixed in 5.20.19-1+deb11u3, trixie fixed in 5.22.9-0.1+deb13u1, sid/forky fixed in 5.22.10-0.1 ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
osv10.0CRITICAL
vendor_debian10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-54119: ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases
osv·2025-08-05·CVSS 10.0
CVE-2025-54119 [CRITICAL] CVE-2025-54119: ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.
OSV
The ADOdb sqlite3 driver allows SQL injection
osv·2025-08-04
CVE-2025-54119 [CRITICAL] The ADOdb sqlite3 driver allows SQL injection
The ADOdb sqlite3 driver allows SQL injection
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name.
Note that the indicated Severity corresponds to a worst-case usage scenario, e.g. allowing user-supplied data to be sent as-is to the above-mentioned methods.
### Impact
SQLite3 driver.
### Patches
Vulnerability is fixed in ADOdb 5.22.10 (https://github.com/ADOdb/ADOdb/commit/5b8bd52cdcffefb4ecded1b399c98cfa516afe03).
### Workarounds
Only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.
### Credits
Thanks to Marco Nappi (@mrcnpp) for rep
GHSA
The ADOdb sqlite3 driver allows SQL injection
ghsa·2025-08-04
CVE-2025-54119 [CRITICAL] CWE-89 The ADOdb sqlite3 driver allows SQL injection
The ADOdb sqlite3 driver allows SQL injection
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name.
Note that the indicated Severity corresponds to a worst-case usage scenario, e.g. allowing user-supplied data to be sent as-is to the above-mentioned methods.
### Impact
SQLite3 driver.
### Patches
Vulnerability is fixed in ADOdb 5.22.10 (https://github.com/ADOdb/ADOdb/commit/5b8bd52cdcffefb4ecded1b399c98cfa516afe03).
### Workarounds
Only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.
### Credits
Thanks to Marco Nappi (@mrcnpp) for rep
Debian
CVE-2025-54119: libphp-adodb - ADOdb is a PHP database class library that provides abstractions for performing ...
vendor_debian·2025·CVSS 10.0
CVE-2025-54119 [CRITICAL] CVE-2025-54119: libphp-adodb - ADOdb is a PHP database class library that provides abstractions for performing ...
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.
Scope: local
bookworm: resolved (fixed in 5.21.4-1+deb12u2)
bullseye: resolved (fixed in 5.20.19-1+deb11u3)
forky: resolved (fixed in 5.22.10-0.1)
sid: resolved (fixed in 5.22.10-0.1)
trixie: resolved (fixed in 5.22.9-0.1+deb13u1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-05
Published