CVE-2025-24975

CVE-2025-24975 is a vulnerability in Firebird, an open-source relational database server, affecting versions prior to snapshot builds 4.0.6.3183, 5.0.2.1610, and 6.0.0.609 when the ExtConnPoolSize configuration parameter is not set to 0. The issue stems from external connection pool (ExtConnPool) entries not being verified for the presence and suitability of the CryptCallback interface relative to conditions at creation time. This mismatch can trigger a segmentation fault (segfault) in the server process, particularly during chained execute statements on external connections. Encrypted databases accessed via such statements may subsequently be reachable by attachments lacking the encryption key, enabling unauthorized access, while the segfault can also impact unencrypted databases. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L) and maps to CWE-754 (Improper Check for Unusual or Exceptional Conditions).

A low-privileged user (PR:L) with network access can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction. By issuing execute statements on external connections in a configuration where ExtConnPoolSize exceeds 0, the attacker can induce a server segfault for denial-of-service impact (A:L). Attackers may also gain high confidentiality (C:H) and integrity (I:H) effects by accessing encrypted database contents without the required key via pooled connections reused by unauthorized attachments.

Firebird has patched the vulnerability in snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, as well as point releases 4.0.6 and 5.0.2. A recommended workaround is to set ExtConnPoolSize to 0 in the firebird.conf file. Official advisories, including the fixing commit, issue discussion, and GitHub security advisory, provide further details on the patch and verification steps.