How ZeroPath Works
Back to Blog

ADOdb CVE-2025-54119 SQL Injection: Brief Summary and Technical Details

This post provides a brief summary of CVE-2025-54119, a critical SQL injection vulnerability in ADOdb affecting versions 5.22.9 and below when using the SQLite3 driver. The vulnerability allows arbitrary SQL execution via improper escaping in metaColumns, metaForeignKeys, and metaIndexes methods. Patch details and affected versions are highlighted.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-04

ADOdb CVE-2025-54119 SQL Injection: Brief Summary and Technical Details
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Applications relying on ADOdb for PHP database abstraction with SQLite3 are exposed to arbitrary SQL execution risks due to a critical flaw in metadata retrieval functions. Attackers can exploit improper escaping in table name parameters to compromise data integrity and confidentiality.

About ADOdb: ADOdb is a widely adopted open-source PHP library providing a unified API for interacting with multiple database systems. It is used in enterprise software, content management systems, and research applications, making vulnerabilities in its core components highly impactful across the PHP ecosystem.

Technical Information

CVE-2025-54119 is a SQL injection vulnerability in ADOdb's SQLite3 driver, affecting versions 5.22.9 and below. The vulnerability exists in the following methods:

  • metaColumns
  • metaForeignKeys
  • metaIndexes

These methods accept a $table parameter, which is used to construct SQL queries for retrieving metadata about database tables, columns, and foreign keys. In affected versions, the $table parameter is not properly escaped or sanitized before being concatenated into SQL statements. If an attacker can control the value passed to these methods, they can inject arbitrary SQL code.

The vulnerability is specific to the SQLite3 driver implementation. Other database drivers in ADOdb are not affected by this issue. The root cause is the lack of input validation or parameterization for the table name, leading to direct injection opportunities.

No public code snippets are available, but the advisory and commit history confirm the location and nature of the flaw.

Affected Systems and Versions

  • Product: ADOdb PHP database abstraction library
  • Affected versions: 5.22.9 and below
  • Vulnerable configuration: Use of the SQLite3 driver and invocation of metaColumns, metaForeignKeys, or metaIndexes with user-controlled or unvalidated table names

Vendor Security History

ADOdb has previously experienced SQL injection vulnerabilities in its database drivers. Notably, CVE-2025-46337 affected the PostgreSQL driver. The maintainers have demonstrated prompt patching and public advisories for critical issues. The project is maintained by an active open-source team and benefits from external security research contributions.

References

Detect & fix
what others miss

Get startedBook a demo