A critical SQL injection vulnerability affecting the widely-used ADOdb PHP database abstraction library has been discovered and patched, posing significant security risks to applications using the SQLite3 driver.
The vulnerability, tracked as CVE-2025-54119, carries the maximum CVSS score of 10.0, highlighting its severity and potential for exploitation.
The vulnerability stems from improper escaping of query parameters in three specific methods within ADOdb’s SQLite3 driver: metaColumns(), metaForeignKeys(), and metaIndexes().
These methods are typically used for database schema introspection, allowing applications to retrieve metadata about table columns, foreign key relationships, and database indexes.
Security researcher Marco Nappi (@mrcnpp) discovered the vulnerability and reported it through responsible disclosure channels.
The vulnerability occurs when user-supplied data is passed directly to the $table parameter of these methods without proper validation or escaping.
An attacker could craft malicious table names that, when processed by these methods, result in arbitrary SQL statement execution on the connected SQLite3 database.
The critical severity rating reflects a worst-case scenario where applications allow untrusted user input to be passed directly to these vulnerable methods.
While these functions are primarily designed for internal schema operations, improper implementation in web applications could expose them to external manipulation.
ADOdb SQLite3 Driver Vulnerability
ADOdb is one of the most widely deployed PHP database abstraction libraries, with over 88,000 monthly downloads and more than 2.8 million total downloads via Packagist.
The library provides powerful abstractions for performing database queries while hiding differences between various database engines, making it a popular choice for PHP developers seeking database portability.
The vulnerability affects all ADOdb versions up to and including 5.22.9. Given the library’s extensive adoption, the potential blast radius includes numerous PHP applications, content management systems, and web frameworks that rely on ADOdb for database operations.
Major platforms and applications using ADOdb could be indirectly affected by this vulnerability, emphasizing the critical nature of library-level security vulnerability.
The SQLite3 driver specifically is targeted by this vulnerability, making any application that uses ADOdb to connect to SQLite3 databases potentially vulnerable.
SQLite3 is commonly used in embedded applications, mobile apps, and smaller web applications, broadening the scope of potentially affected systems.
Mitigations
ADOdb maintainers have released version 5.22.10 to address the vulnerability, with the fix implemented in commit 5b8bd52.
The patch introduces proper escaping mechanisms for the affected methods, ensuring that table names are safely handled before being incorporated into SQL queries.
Organizations using ADOdb should immediately upgrade to version 5.22.10 or later. For environments where immediate upgrading is not feasible, a temporary workaround involves ensuring that only controlled, validated data is passed to the metaColumns(), metaForeignKeys(), and metaIndexes() methods’ $table parameter.
However, this manual validation approach should only be considered a temporary measure, as relying solely on input sanitization can be error-prone.
Linux distributions have begun issuing security advisories and updates, with Ubuntu releasing USN-7530-1 to address the vulnerability in their package repositories.
System administrators should monitor their distribution’s security channels for relevant updates and apply them promptly.
The rapid response from maintainers and distributors demonstrates the seriousness with which this vulnerability is being treated across the software ecosystem.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
