10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54119

GHSA ID

GHSA-vf2r-cxg9-p7rf

EPSS Score

CWE

CWE-89

Published

8/4/2025

Updated

8/4/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54119

CVE-2025-54119: The ADOdb sqlite3 driver allows SQL injection

Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name.

Note that the indicated Severity corresponds to a worst-case usage scenario, e.g. allowing user-supplied data to be sent as-is to the above-mentioned methods.

Impact

SQLite3 driver.

Patches

Vulnerability is fixed in ADOdb 5.22.10 (https://github.com/ADOdb/ADOdb/commit/5b8bd52cdcffefb4ecded1b399c98cfa516afe03).

Workarounds

Only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.

Credits

Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54119

GHSA ID

GHSA-vf2r-cxg9-p7rf

EPSS Score

CWE

CWE-89

Published

8/4/2025

Updated

8/4/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
adodb/adodb-php	composer	<= 5.22.9	5.22.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists within the ADOdb library's sqlite3 driver. The root cause is the improper handling of user-supplied table names in three specific metadata functions: metaColumns, metaForeignKeys, and metaIndexes. In all three cases, the $table parameter, which can be controlled by an attacker, was directly concatenated or formatted into the SQL query string instead of being treated as a parameter. This allows for classic SQL injection attacks.

The provided patch addresses these vulnerabilities by consistently replacing string concatenation and sprintf formatting with parameterized queries. By using ? as a placeholder and passing the table name as a separate parameter to the execute, getOne, or getAll methods, the driver ensures that the input is treated as a single, literal value rather than executable SQL code. This effectively neutralizes the injection vector.

Any system using the ADOdb library with the sqlite3 driver and passing untrusted data to metaColumns(), metaForeignKeys(), or metaIndexes() is at risk. An attacker could exploit this to read, modify, or delete data in the database, and in some configurations, potentially achieve remote code execution on the server.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r *s**pin* o* * qu*ry p*r*m*t*r m*y *llow *n *tt**k*r to *x**ut* *r*itr*ry SQL st*t*m*nts w**n t** *o** usin* **O** *onn**ts to * sqlit** **t***s* *n* **lls t** m*t**olumns(), m*t**or*i*nK*ys() or m*t*In**x*s() m*t*o*s wit* * *r**t** t**l* n*m

Reasoning

T** vuln*r**ility *xists wit*in t** **O** li*r*ry's sqlit** *riv*r. T** root **us* is t** improp*r **n*lin* o* us*r-suppli** t**l* n*m*s in t*r** sp**i*i* m*t***t* *un*tions: `m*t**olumns`, `m*t**or*i*nK*ys`, *n* `m*t*In**x*s`. In *ll t*r** **s*s, t*

10

Basic Information

Concerned about an active attack path?

CVE-2025-54119: The ADOdb sqlite3 driver allows SQL injection

Impact

Patches

Workarounds

Credits

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI