cbcvebase.
CVE-2025-54119
published 2025-08-05

CVE-2025-54119: ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping…

PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAL
EPSS
0.46%
36.7th percentile
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.

Affected

3 ranges
VendorProductVersion rangeFixed in
adodbadodb< 5.22.105.22.10
adodbadodb-php>= 0 < 5.22.105.22.10
debianlibphp-adodb< libphp-adodb 5.21.4-1+deb12u2 (bookworm)libphp-adodb 5.21.4-1+deb12u2 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation attempts targeting ADOdb SQLite3 driver via crafted table name passed to metaColumns(), metaForeignKeys(), or metaIndexes() methods — look for SQL injection payloads in the $table parameter of these calls
  • Flag ADOdb versions 5.22.9 and below in software inventory as vulnerable; prioritize instances connecting to sqlite3 databases
  • ·Vulnerability is only exploitable when ADOdb connects to a sqlite3 database backend — other database drivers are not affected
  • ·Workaround (if patching to 5.22.10 is not immediately possible): ensure only trusted/controlled data is passed to the $table parameter of metaColumns(), metaForeignKeys(), and metaIndexes()
  • ·Debian-specific fixed versions differ by release: bookworm fixed in 5.21.4-1+deb12u2, bullseye fixed in 5.20.19-1+deb11u3, trixie fixed in 5.22.9-0.1+deb13u1, sid/forky fixed in 5.22.10-0.1

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
osv10.0CRITICAL
vendor_debian10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.