CVE-2025-5878: 
Linux Debian vulnerability analysis and mitigation

A vulnerability was discovered in ESAPI esapi-java-legacy affecting the interface Encoder.encodeForSQL of the SQL Injection Defense mechanism. The vulnerability was classified as problematic due to improper neutralization of special elements. The issue affects versions up to 2.6.2.0 and was disclosed on June 29, 2025. The vulnerability has been assigned CVE-2025-5878 (NVD).

The vulnerability stems from improper neutralization of special elements in the SQL encoding functionality. It specifically affects the interface Encoder.encodeForSQL, which is part of the SQL Injection Defense mechanism. The vulnerability received a CVSS v3.1 Base Score of 7.3 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The issue is related to CWE-138 (Improper Neutralization of Special Elements) and CWE-20 (Improper Input Validation) (NVD).

The vulnerability allows remote attackers to potentially bypass SQL injection defenses. When exploited, it could lead to unauthorized access to database contents, manipulation of database data, or potential execution of arbitrary SQL commands. The attack can be initiated remotely, and an exploit has been publicly disclosed (NVD).

The vulnerability has been fixed in version 2.7.0.0. Two specific commits address the issue: f75ac2c2647a81d2cfbdc9c899f8719c240ed512 disables the feature by default and adds a warning for any attempt to use it, while e2322914304d9b1c52523ff24be495b7832f6a56 updates the Java class documentation to warn about the risks. Users are strongly recommended to upgrade to version 2.7.0.0 (GitHub Release).

The project maintainers handled the vulnerability disclosure with exceptional professionalism. The security researcher Longlong Gong (uglory-gll) was acknowledged for discovering the vulnerability, and the response included comprehensive documentation and security bulletins to guide users through the necessary changes (GitHub Release).