Cyber Posture

CVE-2022-31631

Critical

Published: 12 February 2025

Published
12 February 2025
Modified
02 July 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0068 71.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31631 is a critical-severity Injection (CWE-74) vulnerability in Php Php. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 28.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely remediation of the known flaw in PHP's PDO::quote() function for SQLite by patching to fixed versions like 8.0.27.

SI-10 Information Input Validation good match
prevent

Mandates validation of user-supplied inputs before passing to PDO::quote(), preventing SQL injection even when quoting fails on overly long strings.

SI-9 Information Input Restrictions partial match
prevent

Restricts input length and types to block overly long strings that trigger the SQLite driver's incorrect quoting and enable SQL injection.

NVD Description

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead…

more

to SQL injection vulnerabilities.

Deeper analysisAI

CVE-2022-31631 is a vulnerability in the PHP PDO::quote() function when used with SQLite databases. It affects PHP versions 8.0.* prior to 8.0.27, 8.1.* prior to 8.1.15, and 8.2.* prior to 8.2.2. The issue arises when an overly long user-supplied string is passed to PDO::quote(), causing the SQLite driver to incorrectly quote the data, which can enable SQL injection vulnerabilities. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command).

An attacker can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, user interaction, or special conditions. By supplying an excessively long string to an application that uses PDO::quote() for SQLite, the attacker can bypass proper quoting, leading to SQL injection. Successful exploitation allows high-impact confidentiality and integrity violations, such as unauthorized data access or modification, without affecting availability.

Advisories recommend upgrading to PHP versions 8.0.27, 8.1.15, or 8.2.2, where the quoting issue has been fixed. The primary bug report is documented at bugs.php.net/bug.php?id=81740, and NetApp's advisory (ntap-20230223-0007) addresses the issue in affected products, urging immediate patching.

Details

CWE(s)
CWE-74

Affected Products

php
php
8.0.0 — 8.0.27 · 8.1.0 — 8.1.15 · 8.2.0 — 8.2.2

CVEs Like This One

CVE-2025-70873Same product: Sqlite Sqlite
CVE-2025-6965Same product: Sqlite Sqlite
CVE-2025-1736Same product: Php Php
CVE-2025-1861Same product: Php Php
CVE-2026-33202Shared CWE-74
CVE-2026-25586Shared CWE-74
CVE-2026-22200Shared CWE-74
CVE-2025-1691Shared CWE-74
CVE-2026-32616Shared CWE-74
CVE-2025-67733Shared CWE-74

References