Cyber Resilience

CVE-2025-54119

Critical

Published: 05 August 2025

Published
05 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0047 65.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54119 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-54119 is a SQL injection vulnerability in ADOdb, a PHP database abstraction library, affecting versions 5.22.9 and earlier. The flaw stems from improper escaping of a query parameter, enabling arbitrary SQL statement execution when ADOdb connects to a SQLite3 database and invokes the metaColumns(), metaForeignKeys(), or metaIndexes() methods with a maliciously crafted table name.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L). By controlling the $table parameter passed to the affected methods, the attacker achieves arbitrary SQL execution on the SQLite3 database, potentially leading to high-impact confidentiality and integrity compromises, such as data exfiltration or modification, with limited availability disruption.

The vulnerability is fixed in ADOdb version 5.22.10, as detailed in the project's GitHub commit, issue tracker, and security advisory (GHSA-vf2r-cxg9-p7rf). A workaround involves ensuring only controlled, trusted data is passed to the $table parameter of the affected methods. Debian LTS has also announced tracking and mitigation for affected packages.

EU & UK References

Vulnerability details

ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using…

more

ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated SQL injection in a database abstraction library used by applications, enabling arbitrary SQL execution via crafted input to public-facing methods (metaColumns etc.).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediates the SQL injection vulnerability in ADOdb by patching to version 5.22.10, directly eliminating the improper escaping flaw.

prevent

Validates crafted table name inputs to ADOdb metaColumns(), metaForeignKeys(), and metaIndexes() methods, preventing arbitrary SQL execution on SQLite3 databases.

prevent

Restricts the $table parameter to controlled, trusted data only, implementing the recommended workaround to block malicious inputs.

References