Critical SQL Injection flaw reported in ADOdb PHP database library
Take action: If you're using ADOdb with SQLite3 databases upgrade to version 5.22.10 to fix a critical SQL injection vulnerability. If you can't upgrade right away, add strict input validation to prevent unsanitized user data from reaching the metaColumns(), metaForeignKeys(), and metaIndexes() methods.
Learn More
ADOdb has patched a critical security vulnerability in its PHP database abstraction library affecting the SQLite3 driver component.
The flaw is tracked as CVE-2025-54119 (CVSS score 10), and is caused by inadequate input sanitization within three metadata methods of the SQLite3 driver
- metaColumns()
- metaForeignKeys()
- metaIndexes()
When these methods are called, attackers can inject malicious SQL code that gets executed against the underlying SQLite3 database/ The security flaw is most dangerous when applications allow user-supplied data to be passed directly to the affected methods without validation or sanitization.
Affected versions are ADOdb versions 5.22.9 and below for all editions using SQLite3 driver
ADOdb has already patched this vulnerability in version 5.22.10. The patch implements proper parameter escaping mechanisms within the affected metadata methods to prevent SQL injection attacks. Organizations using ADOdb with SQLite3 databases should upgrade immediately to mitigate this critical risk.
Organizations that can't upgrade immediately should implement application level input validation to ensure that only controlled, sanitized data is passed to the metaColumns(), metaForeignKeys(), and metaIndexes() methods.
