CVE-2025-3818

NameCVE-2025-3818
DescriptionA vulnerability, which was classified as critical, was found in webpy web.py 0.70. Affected is the function PostgresDB._process_insert_query of the file web/db.py. The manipulation of the argument seqname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4189-1
Debian Bugs1103780

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
webpy (PTS)bullseye1:0.61-1vulnerable
bullseye (security)1:0.61-1+deb11u1fixed
bookworm1:0.62-4vulnerable
trixie, sid1:0.62-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
webpysourcebullseye1:0.61-1+deb11u1DLA-4189-1
webpysource(unstable)1:0.62-61103780

Notes

[bookworm] - webpy <no-dsa> (Minor issue; can be fixed in point release)
https://noppgwz8if.feishu.cn/docx/TxjpddUpTokyBwxibSgcTRr7nUf
https://github.com/webpy/webpy/issues/806
Fixed by: https://github.com/webpy/webpy/commit/3ba1b40e5a828a26a1df1b49cdc87395f3274c81
Search for package or bug name: Reporting problems