CVE-2025-54119
Published: 05 August 2025
Summary
CVE-2025-54119 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-54119 is a SQL injection vulnerability in ADOdb, a PHP database abstraction library, affecting versions 5.22.9 and earlier. The flaw stems from improper escaping of a query parameter, enabling arbitrary SQL statement execution when ADOdb connects to a SQLite3 database and invokes the metaColumns(), metaForeignKeys(), or metaIndexes() methods with a maliciously crafted table name.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L). By controlling the $table parameter passed to the affected methods, the attacker achieves arbitrary SQL execution on the SQLite3 database, potentially leading to high-impact confidentiality and integrity compromises, such as data exfiltration or modification, with limited availability disruption.
The vulnerability is fixed in ADOdb version 5.22.10, as detailed in the project's GitHub commit, issue tracker, and security advisory (GHSA-vf2r-cxg9-p7rf). A workaround involves ensuring only controlled, trusted data is passed to the $table parameter of the affected methods. Debian LTS has also announced tracking and mitigation for affected packages.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23567
Vulnerability details
ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using…
more
ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated SQL injection in a database abstraction library used by applications, enabling arbitrary SQL execution via crafted input to public-facing methods (metaColumns etc.).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediates the SQL injection vulnerability in ADOdb by patching to version 5.22.10, directly eliminating the improper escaping flaw.
Validates crafted table name inputs to ADOdb metaColumns(), metaForeignKeys(), and metaIndexes() methods, preventing arbitrary SQL execution on SQLite3 databases.
Restricts the $table parameter to controlled, trusted data only, implementing the recommended workaround to block malicious inputs.