CVE-2025-54119

Name	CVE-2025-54119
Description	ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1110464

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libphp-adodb (PTS)	bullseye	5.20.19-1+deb11u1	vulnerable
	bullseye (security)	5.20.19-1+deb11u2	vulnerable
	bookworm	5.21.4-1+deb12u1	vulnerable
	trixie	5.22.9-0.1	vulnerable
	forky, sid	5.22.10-0.1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libphp-adodb	source	(unstable)	5.22.10-0.1			1110464

Notes

[trixie] - libphp-adodb <no-dsa> (Minor issue; can be fixed via point release))
[bookworm] - libphp-adodb <no-dsa> (Minor issue; can be fixed via point release)
https://github.com/ADOdb/ADOdb/security/advisories/GHSA-vf2r-cxg9-p7rf
https://github.com/ADOdb/ADOdb/issues/1083
Fixed by: https://github.com/ADOdb/ADOdb/commit/5b8bd52cdcffefb4ecded1b399c98cfa516afe03 (v5.22.10)