Critical Flaw in ADOdb SQLite3 Driver Allows Arbitrary SQL Execution
A critical security vulnerability has been discovered in the popular ADOdb PHP database abstraction library that could allow attackers to execute arbitrary SQL statements, posing significant risks to applications using SQLite3 databases.
The flaw, designated as CVE-2025-54119, affects all versions of ADOdb up to and including 5.22.9.
| Field | Details |
| CVE ID | CVE-2025-54119 |
| Vulnerability Type | SQL Injection in ADOdb sqlite3 driver |
| Severity | Critical |
| CVSS v3.1 Score | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L |
Vulnerability Details and Impact
The security issue stems from improper escaping of query parameters within the ADOdb SQLite3 driver, specifically affecting three critical metadata methods: metaColumns(), metaForeignKeys(), and metaIndexes().
When these methods are called with crafted table names, attackers can inject malicious SQL code that gets executed against the underlying SQLite3 database.
The vulnerability was published by dregad, a prominent maintainer of the ADOdb project based in Switzerland, who has been actively involved in maintaining several critical PHP projects including the Mantis Bug Tracker.
The security advisory was made public just two days ago, highlighting the urgent nature of this disclosure.
According to the Common Vulnerability Scoring System (CVSS) v3.1 metrics, this flaw has been assigned a critical severity rating.
The attack vector is classified as network-based with low complexity, requiring no privileges or user interaction.
The scope is considered “changed,” meaning the vulnerability can affect resources beyond the immediate component, with high impact on both confidentiality and integrity, and low impact on availability.
The root cause lies in inadequate input sanitization when processing table names passed to the affected metadata methods.
This represents a classic SQL injection vulnerability classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
In worst-case scenarios where user-supplied data is passed directly to these methods without validation, attackers could potentially read sensitive data, modify database contents, or execute administrative operations.
The vulnerability particularly affects applications that dynamically generate database metadata queries based on user input, a common pattern in database administration tools, content management systems, and custom applications that provide database introspection capabilities.
ADOdb developers have addressed this critical flaw in version 5.22.10, released through commit 5b8bd52cdcffefb4ecded1b399c98cfa516afe03.
Organizations using affected versions should immediately upgrade to the patched release to eliminate this security risk.
For environments where immediate upgrading is not feasible, developers can implement a temporary workaround by ensuring that only controlled, validated data is passed to the metaColumns(), metaForeignKeys(), and metaIndexes() methods’ $table parameter.
The vulnerability was responsibly disclosed by security researcher Marco Nappi (@mrcnpp), who identified the flaw and reported it through proper channels.
This discovery underscores the importance of ongoing security research in widely-used open-source libraries that form the backbone of countless web applications worldwide.
Organizations should audit their ADOdb implementations and prioritize applying this security update to protect against potential exploitation of this critical vulnerability.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Post Comment