CVE-2025-3818

NameCVE-2025-3818
DescriptionA vulnerability, which was classified as critical, was found in webpy web.py 0.70. Affected is the function PostgresDB._process_insert_query of the file web/db.py. The manipulation of the argument seqname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1103780

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
webpy (PTS)bullseye1:0.61-1vulnerable
bookworm1:0.62-4vulnerable
trixie1:0.62-5vulnerable
sid1:0.62-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
webpysource(unstable)1:0.62-61103780

Notes

https://noppgwz8if.feishu.cn/docx/TxjpddUpTokyBwxibSgcTRr7nUf
https://github.com/webpy/webpy/issues/806
Fixed by: https://github.com/webpy/webpy/commit/3ba1b40e5a828a26a1df1b49cdc87395f3274c81
Search for package or bug name: Reporting problems