CVE-2025-29087: 
SQLite vulnerability analysis and mitigation

In SQLite versions 3.44.0 through 3.49.0 before 3.49.1, a vulnerability was discovered in the concat_ws() SQL function (CVE-2025-29087). The vulnerability was identified on April 7, 2025, affecting SQLite database software. The issue involves an integer overflow vulnerability that can lead to memory corruption when processing certain SQL queries (NVD, CVE).

The vulnerability occurs in the concat_ws() SQL function where memory can be written beyond the end of a malloc-allocated buffer. When the separator argument is attacker-controlled and contains a large string (2MB or more), an integer overflow occurs during the calculation of the result buffer size. This causes malloc to allocate insufficient memory for the operation. The vulnerability has been assigned a CVSS v3.1 base score of 3.2 (LOW) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L (NVD).

The primary impact of this vulnerability is the potential for memory corruption through buffer overflow, which could lead to application crashes and denial of service conditions. The vulnerability requires the attacker to have the ability to control the separator argument in the concatws() function with a large string ([SQLite Release](https://sqlite.org/releaselog/349_1.html)).

The vulnerability has been fixed in SQLite version 3.49.1, released on February 18, 2025. Users are advised to upgrade to this version or later to address the issue. The fix specifically addresses the integer overflow calculation in the concatws() function ([SQLite Release](https://sqlite.org/releaselog/349_1.html)).