CVE-2025-54119: 
PHP vulnerability analysis and mitigation

ADOdb, a PHP database class library providing abstractions for database operations, was found to contain a critical SQL injection vulnerability (CVE-2025-54119) in versions 5.22.9 and below. The vulnerability was discovered in August 2025 and affects the SQLite3 driver implementation. With over 88,000 monthly downloads, this widely-used library's security flaw poses significant risks to applications utilizing its database abstraction capabilities (Security Online, NVD).

The vulnerability stems from improper escaping of query parameters in the SQLite3 driver when handling table names in specific metadata retrieval methods: metaColumns(), metaForeignKeys(), and metaIndexes(). The flaw has been assigned the highest possible CVSS v3.1 score of 10.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L, indicating its severe nature. The vulnerability is classified as CWE-89 (SQL Injection) (GitHub Advisory, NVD).

If exploited, this vulnerability allows attackers to execute arbitrary SQL statements on the database when the affected methods are called with crafted table names. The impact is particularly severe in scenarios where user-supplied data is passed directly to these methods without proper validation. The vulnerability affects the confidentiality and integrity of the database, potentially allowing unauthorized access to and modification of sensitive data (GitHub Advisory).

The vulnerability has been patched in ADOdb version 5.22.10. Users are strongly encouraged to upgrade to this version immediately. For those unable to upgrade immediately, a temporary workaround is to ensure that only controlled data is passed to the metaColumns(), metaForeignKeys(), and metaIndexes() methods' $table parameter. However, this manual validation should only be considered a temporary measure (GitHub Advisory, GitHub Commit).