CVE-2025-54119

NameCVE-2025-54119
DescriptionADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1110464

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libphp-adodb (PTS)bullseye5.20.19-1+deb11u1vulnerable
bullseye (security)5.20.19-1+deb11u2vulnerable
bookworm5.21.4-1+deb12u1vulnerable
trixie5.22.9-0.1vulnerable
forky, sid5.22.10-0.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libphp-adodbsource(unstable)5.22.10-0.11110464

Notes

[trixie] - libphp-adodb <no-dsa> (Minor issue; can be fixed via point release))
[bookworm] - libphp-adodb <no-dsa> (Minor issue; can be fixed via point release)
[bullseye] - libphp-adodb <postponed> (Minor issue)
https://github.com/ADOdb/ADOdb/security/advisories/GHSA-vf2r-cxg9-p7rf
https://github.com/ADOdb/ADOdb/issues/1083
Fixed by: https://github.com/ADOdb/ADOdb/commit/5b8bd52cdcffefb4ecded1b399c98cfa516afe03 (v5.22.10)
Search for package or bug name: Reporting problems