Cyber Resilience

CVE-2022-31631

Critical

Published: 12 February 2025

Published
12 February 2025
Modified
02 July 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0082 74.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31631 is a critical-severity Injection (CWE-74) vulnerability in Php Php. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-31631 is a vulnerability in the PHP PDO::quote() function when used with SQLite databases. It affects PHP versions 8.0.* prior to 8.0.27, 8.1.* prior to 8.1.15, and 8.2.* prior to 8.2.2. The issue arises when an overly long user-supplied string is passed to PDO::quote(), causing the SQLite driver to incorrectly quote the data, which can enable SQL injection vulnerabilities. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command).

An attacker can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, user interaction, or special conditions. By supplying an excessively long string to an application that uses PDO::quote() for SQLite, the attacker can bypass proper quoting, leading to SQL injection. Successful exploitation allows high-impact confidentiality and integrity violations, such as unauthorized data access or modification, without affecting availability.

Advisories recommend upgrading to PHP versions 8.0.27, 8.1.15, or 8.2.2, where the quoting issue has been fixed. The primary bug report is documented at bugs.php.net/bug.php?id=81740, and NetApp's advisory (ntap-20230223-0007) addresses the issue in affected products, urging immediate patching.

EU & UK References

Vulnerability details

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead…

more

to SQL injection vulnerabilities.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote SQL injection flaw in PHP PDO::quote() for SQLite enables exploitation of public-facing web applications without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-6965Same product: Sqlite Sqlite
CVE-2026-6722Same product: Php Php
CVE-2025-70873Same product: Sqlite Sqlite
CVE-2025-1736Same product: Php Php
CVE-2024-39604Shared CWE-74
CVE-2025-20337Shared CWE-74
CVE-2025-64428Shared CWE-74
CVE-2026-45344Shared CWE-74
CVE-2026-25814Shared CWE-74
CVE-2026-33833Shared CWE-74

Affected Assets

php
php
8.0.0 — 8.0.27 · 8.1.0 — 8.1.15 · 8.2.0 — 8.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the known flaw in PHP's PDO::quote() function for SQLite by patching to fixed versions like 8.0.27.

prevent

Mandates validation of user-supplied inputs before passing to PDO::quote(), preventing SQL injection even when quoting fails on overly long strings.

prevent

Restricts input length and types to block overly long strings that trigger the SQLite driver's incorrect quoting and enable SQL injection.

References