CVE-2025-46337
📋 TL;DR
This is a critical SQL injection vulnerability in ADOdb PHP database library affecting PostgreSQL connections. Attackers can execute arbitrary SQL statements when user-supplied data is passed to pg_insert_id() function. All applications using ADOdb with PostgreSQL databases prior to version 5.22.9 are affected.
💻 Affected Systems
- ADOdb PHP Database Library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.
Likely Case
Data exfiltration, unauthorized data modification, and potential application compromise through database access.
If Mitigated
Limited impact with proper input validation and parameterized queries, though the vulnerability still exists at library level.
🎯 Exploit Status
Exploitation requires user input to reach pg_insert_id() function. Public technical details available in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.22.9
Vendor Advisory: https://github.com/ADOdb/ADOdb/security/advisories/GHSA-8x27-jwjr-8545
Restart Required: No
Instructions:
1. Update ADOdb to version 5.22.9 or later. 2. Replace current ADOdb files with patched version. 3. Verify no breaking changes in your application. 4. Test database functionality.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for all parameters passed to pg_insert_id() function
Use Parameterized Queries
allAvoid passing user input directly to pg_insert_id() by using prepared statements
🧯 If You Can't Patch
- Implement WAF rules to detect and block SQL injection attempts targeting pg_insert_id()
- Restrict database user permissions to minimum required, implement network segmentation
🔍 How to Verify
Check if Vulnerable:
Check if ADOdb version is below 5.22.9 and application uses PostgreSQL with pg_insert_id() callsCheck Version:
Check ADOdb version in PHP code or composer.json: grep -r 'ADOdb' /path/to/app | grep -i versionVerify Fix Applied:
Verify ADOdb version is 5.22.9 or higher and test pg_insert_id() functionality📡 Detection & Monitoring
Log Indicators:
- Unusual PostgreSQL query patterns
- Multiple failed login attempts from pg_insert_id() calls
- SQL error messages containing user input
Network Indicators:
- Unusual database traffic patterns
- SQL injection payloads in HTTP requests
SIEM Query:
source="web_logs" AND ("pg_insert_id" OR "ADOdb") AND (sql_injection_indicators)🔗 References
- https://github.com/ADOdb/ADOdb/commit/11107d6d6e5160b62e05dff8a3a2678cf0e3a426
- https://github.com/ADOdb/ADOdb/issues/1070
- https://github.com/ADOdb/ADOdb/security/advisories/GHSA-8x27-jwjr-8545
- https://lists.debian.org/debian-lts-announce/2025/05/msg00029.html
- https://xaliom.blogspot.com/2025/05/from-sast-to-cve-2025-46337.html
