CVE-2025-46337

Published May 1, 2025

Last updated a month ago

PHP

ADOdb

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-46337 is an SQL injection vulnerability found in ADOdb, a PHP database class library. Specifically, it affects the `pg_insert_id()` function when ADOdb connects to a PostgreSQL database. The vulnerability stems from improper escaping of a query parameter, which could allow an attacker to execute arbitrary SQL statements. This vulnerability occurs when user-supplied data is passed to the `pg_insert_id()` method's `$fieldname` parameter without proper sanitization. This could enable attackers to manipulate the SQL query, potentially leading to data theft, deletion, or even remote code execution. The issue was addressed in ADOdb version 5.22.9.

Description: ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data. This issue has been patched in version 5.22.9.
Source: security-advisories@github.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 10
Impact score: 6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Severity: CRITICAL

Weaknesses

security-advisories@github.com: CWE-89

Hype score: Not currently trending

References