Critical ADOdb Flaw (CVE-2025-54119, CVSS 10.0) in SQLite3 Driver Allows SQL Injection

A critical SQL injection vulnerability has been discovered in ADOdb, a widely used PHP database abstraction library. Tracked as CVE-2025-54119, the flaw carries the highest possible CVSS score of 10.0, reflecting its severity and potential impact on real-world applications.

With over 88,000 downloads each month, ADOdb is embedded in countless PHP projects that rely on its powerful abstractions to simplify database queries and backend logic. The vulnerability affects the SQLite3 driver in versions prior to 5.22.10.

The root of the vulnerability lies in improper escaping of table names passed to the following methods:

• metaColumns()
• metaForeignKeys()
• metaIndexes()

If untrusted user input is passed as the $table parameter to any of these functions, an attacker could exploit it to inject and execute arbitrary SQL statements on the database.

“The indicated Severity corresponds to a worst-case usage scenario, e.g. allowing user-supplied data to be sent as-is to the above-mentioned methods,” the advisory notes.

While these methods are typically used for schema introspection (e.g., retrieving column metadata or foreign key relations), improper validation can open a path for attackers to manipulate backend SQL queries — even without direct data manipulation endpoints.

The ADOdb maintainers have patched this vulnerability in version 5.22.10, with the commit 5b8bd52 introducing the fix. Developers are strongly encouraged to upgrade immediately if using SQLite3 with ADOdb in any capacity.

If an upgrade is not immediately possible, a mitigation is to strictly sanitize and control the $table parameter passed into the vulnerable methods.

“Only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method’s $table parameter.”

However, relying solely on manual validation is not foolproof and should only be considered a temporary measure.

Related Posts:

• Critical SQL Injection Vulnerability Found in ADOdb PHP Library – CVE-2025-46337 (CVSS 10.0)
• CVE-2025-24786 (CVSS 10) & CVE-2025-24787: Critical WhoDB Vulnerabilities
• Critical (CVSS 9.8): IBM Tivoli Monitoring Flaw Risks Remote Code Execution
• Critical RCE Vulnerability Affects HylaFAX and AvantFAX
• Critical Microsoft Access Vulnerability Exploited for NTLM Token Theft

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy