A critical SQL injection vulnerability has been discovered in the ADOdb PHP database abstraction library, specifically in its SQLite3 driver. This vulnerability is tracked as CVE-2025-54119 and is rated with a maximum CVSS severity score of 10.0, indicating a critical security risk.
Vulnerability Overview
- Software Affected: ADOdb PHP library, SQLite3 driver component.
- Issue Description: The vulnerability arises from improper escaping of table names within certain metadata methods of the SQLite3 driver:
metaColumns()metaForeignKeys()metaIndexes()These methods accept a$tableparameter to perform schema introspection, but this parameter is not properly sanitized or escaped.- Nature of the Vulnerability: SQL Injection
Since these methods use the unescaped$tableparameter directly in SQL queries, an attacker who can control this input can inject and execute arbitrary SQL commands on the database.
Impact of Exploitation
- Potential Damage: Through this SQL injection, attackers can:
- Manipulate or leak sensitive data
- Execute unauthorized commands on the database
- Potentially escalate privileges or pivot to further attacks on the system hosting the database
- Although these methods are typically used internally for schema information retrieval and might not always be exposed directly to users, any application passing user input unvalidated into these functions becomes vulnerable.
Affected Versions and Fixes
- Versions of ADOdb prior to 5.22.10 contain this flaw.
- The vulnerability was addressed and fixed in ADOdb version 5.22.10 by implementing strict escaping and sanitization of the table name input parameters, preventing any potential injection.
Recommendations for Mitigation
- Immediate Upgrade:
- Upgrade ADOdb to version 5.22.10 or later. This is the most effective and recommended mitigation.
- Input Validation as a Temporary Measure:
- If immediate upgrade is not possible, ensure applications strictly validate and sanitize inputs passed as table names to affected methods.
- Avoid passing any user-controllable input directly to these metadata functions without validation.
- General Security Practices:
- Implement least privilege on database access accounts.
- Avoid exposing schema introspection features or internal APIs to untrusted users.
- Use parameterized queries and safe database abstraction practices.
Additional Context
- This vulnerability is specific to the ADOdb SQLite3 driver interface, and not a vulnerability within the SQLite engine itself.
- Other ADOdb drivers have had related vulnerabilities, but this particular critical SQL injection applies to the SQLite3 driver.
- Separate security advisories exist regarding the SQLite engine, mostly related to memory safety and other classes of issues, but not this injection attack vector.
Summary
This SQL injection vulnerability in the ADOdb SQLite3 driver is extremely serious due to its critical severity and wide potential impact. Any PHP applications relying on ADOdb to interface with SQLite databases should prioritize updating to version 5.22.10 or above immediately. Failing to patch allows attackers to execute arbitrary SQL commands, risking full database compromise and broader application security failure.
By upgrading promptly and following secure coding practices around metadata functions, organizations can adequately protect themselves against this critical risk.
If you are using ADOdb with SQLite3, taking action now to apply the fix is essential for securing your systems and data integrity.
GitHub profile for the ADOdb project where Marco Nappi credited for vulnerability disclosures: https://github.com/ADOdb/ADOdb
