SQL Injection Vulnerability in ADOdb PHP Database Library

CVE-2025-46337

What is CVE-2025-46337?

CVE-2025-46337 is a notable vulnerability within the ADOdb PHP Database Library, an essential tool for developers working with PHP to interact with relational databases. This library simplifies database management and query execution for various database systems, including PostgreSQL. The vulnerability stems from improper handling of user-supplied query parameters, which could allow an attacker to launch SQL injection attacks. The potential for arbitrary SQL statement execution poses a significant risk to organizations, as it could lead to unauthorized access to sensitive data, data manipulation, or even system compromise.

Technical Details

The vulnerability occurs in versions of ADOdb prior to 5.22.9. It specifically affects environments where ADOdb is used to connect to a PostgreSQL database and calls the pg_insert_id() function with inputs provided by users. Due to insufficient escaping of these parameters, attackers can craft malicious inputs that manipulate SQL queries, potentially executing arbitrary SQL commands on the database. ADOdb has since patched this issue in version 5.22.9, making it crucial for users to update to this version or later.

Potential Impact of CVE-2025-46337

1. Unauthorized Data Access: Exploiting this vulnerability can give attackers access to confidential data stored within the database, leading to potential breaches of sensitive information.

2. Data Manipulation: Attackers could alter, delete, or corrupt the data within the database, disrupting operations and potentially leading to data loss or integrity issues.

3. System Compromise: The ability to execute arbitrary SQL statements can pave the way for further attacks, allowing adversaries to escalate privileges, manipulate system functions, or deploy malicious payloads within the affected environment.

References