Heap Buffer Overflow in SQLite `concat_ws()` Function
CVE-2025-3277

6.9MEDIUM

Key Information:

Vendor: Sqlite
Status: Concat Ws()
Vendor: CVE Published:; 14 April 2025

What is CVE-2025-3277?

A vulnerability in SQLite's concat_ws() function allows for an integer overflow, which can be exploited to allocate an insufficient buffer size. When SQLite attempts to write to this buffer, it uses the original size, leading to a wild heap buffer overflow scenario. This overflow can be manipulated to execute arbitrary code, posing serious security risks for applications utilizing vulnerable SQLite versions.

Affected Version(s)

concat_ws() < 3.49.1

References

https://sqlite.org/src/info/498e3f1cf57f164f

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Apr 14, 2025
Vulnerability Reserved
Apr 4, 2025

Credit

王跃林 (Yuelin Wang)