SQL Injection Vulnerability in ESAPI esapi-java-legacy Affected by Improper Neutralization
CVE-2025-5878

6.9MEDIUM

Key Information:

Vendor

ESAPi

Status
ESAPi-java-legacy
Vendor
CVE Published:
29 June 2025

What is CVE-2025-5878?

A security vulnerability exists in ESAPI esapi-java-legacy affecting the Encoder.encodeForSQL function, due to inadequate neutralization of special characters. This flaw could be exploited remotely, potentially leading to unauthorized database access. The development team demonstrated a proactive approach by addressing this issue promptly. Users are strongly encouraged to upgrade to version 2.7.0.0, which disables the vulnerable feature by default and issues warnings upon usage attempts. Additionally, documentation improvements have been made to better inform users of the associated risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

esapi-java-legacy 2.0-rc10

esapi-java-legacy 2.0-rc11

esapi-java-legacy 2.0.1

References

https://vuldb.com/?id.314321
vdb-entrytechnical-description
https://vuldb.com/?ctiid.314321
signaturepermissions-required
https://vuldb.com/?submit.590149
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Longlong Gong
uglory (VulDB User)
JSON
.