SQL Injection Risk in PHP SQLite Driver for PHP Versions
CVE-2022-31631

9.1CRITICAL

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 12 February 2025

Summary

A vulnerability exists in PHP's PDO::quote() function for the SQLite driver, affecting multiple versions of PHP. When user-supplied data is processed, excessive length in input strings can lead to incorrect quoting of data. This flaw exposes applications to potential SQL injection attacks, allowing malicious actors to manipulate database queries. Users are encouraged to update to secure versions to mitigate this serious risk.

Affected Version(s)

PHP 8.0.x

PHP 8.0.x < 8.0.27

PHP 8.1.x < 8.1.15

References

https://bugs.php.net/bug.php?id=81740

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 12, 2025
Vulnerability Reserved
May 25, 2022