Critical SQL Injection Vulnerability Found in ADOdb PHP Library

A critical security flaw has been disclosed in ADOdb, the widely-used PHP database abstraction library with over 2.8 million installations worldwide. Tracked as CVE-2025-46337, the vulnerability resides in the PostgreSQL driver’s pg_insert_id() method, potentially allowing attackers to execute arbitrary SQL commands in vulnerable applications.

According to the advisory: “Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data.”

This SQL injection flaw has been assigned the highest possible CVSS score of 10.0. The vulnerability affects multiple PostgreSQL drivers, including postgres64, postgres7, postgres8, and postgres9.

The vulnerability is triggered when user-controlled input is passed as the $fieldname parameter to the pg_insert_id() function without proper sanitization. This allows the attacker to manipulate the resulting SQL query and potentially compromise the underlying database.

“Note that the indicated Severity corresponds to a worst-case usage scenario,” the advisory clarifies.

In the most dangerous configuration—when input is passed directly from HTTP request parameters or user form data into the pg_insert_id() method—an attacker could gain full control over SQL execution, enabling data theft, deletion, or even remote code execution depending on database permissions and integrations.

The vulnerability was patched in ADOdb version 5.22.9, specifically in commit 11107d6. Developers are strongly advised to upgrade immediately to eliminate the risk.

For those unable to upgrade right away, the advisory offers a temporary workaround: “Only pass controlled data to pg_insert_id() method’s $fieldname parameter, or escape it with pg_escape_identifier() first.”

Rate this post

Related Posts:

Leave a Reply Cancel reply