CVE-2025-46337: 
PHP vulnerability analysis and mitigation

ADOdb, a PHP database class library that provides abstractions for performing queries and managing databases, was found to contain a critical SQL injection vulnerability (CVE-2025-46337) prior to version 5.22.9. The vulnerability was discovered by Marco Nappi (@mrcnpp) and disclosed on May 1, 2025. The issue affects the PostgreSQL drivers (postgres64, postgres7, postgres8, postgres9) in the ADOdb library (GitHub Advisory).

The vulnerability stems from improper escaping of query parameters in the pginsertid() method when connecting to a PostgreSQL database. The issue received a CVSS v3.1 base score of 10.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L. The vulnerability is classified as CWE-89 (SQL Injection) (GitHub Advisory, NVD).

When exploited, this vulnerability allows attackers to execute arbitrary SQL statements through user-supplied data passed to the pginsertid() method. The high severity rating indicates potential for significant data breach and system compromise, with high impact on both confidentiality and integrity of the affected systems (GitHub Advisory).

The vulnerability has been patched in ADOdb version 5.22.9. For users unable to update immediately, a workaround is available: only pass controlled data to pginsertid() method's $fieldname parameter, or escape it with pgescapeidentifier() first. The fix involves proper escaping of the sequence name using pgescapeidentifier() (GitHub Commit, GitHub Advisory).

The vulnerability was initially discovered through Static Analysis Security Testing (SAST) by security researcher Marco Nappi, who documented the discovery process in a detailed blog post. The ADOdb maintainers, particularly Dregad, were praised for their professional handling of the vulnerability disclosure and patch release process (Xaliom Blog).