CVE-2025-5878
📋 TL;DR
This vulnerability in ESAPI esapi-java-legacy allows SQL injection attacks through the Encoder.encodeForSQL interface due to improper neutralization of special elements. It affects applications using this library for SQL injection defense, potentially enabling attackers to execute arbitrary SQL commands remotely. The vulnerability is particularly concerning because an exploit has been publicly disclosed.
💻 Affected Systems
- ESAPI esapi-java-legacy
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise including data theft, data manipulation, or complete system takeover through SQL injection leading to remote code execution.
Likely Case
SQL injection allowing unauthorized data access, data modification, or privilege escalation in affected applications.
If Mitigated
Limited impact if proper input validation and parameterized queries are already in place alongside ESAPI.
🎯 Exploit Status
Exploit has been publicly disclosed and the vulnerability is in a security library designed to prevent SQL injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.0.0
Vendor Advisory: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin13.pdf
Restart Required: Yes
Instructions:
1. Upgrade ESAPI esapi-java-legacy to version 2.7.0.0 or later. 2. Update dependencies in your project configuration (Maven pom.xml, Gradle build.gradle, etc.). 3. Rebuild and redeploy your application. 4. Restart application servers.
🔧 Temporary Workarounds
Disable Encoder.encodeForSQL usage
allStop using the vulnerable Encoder.encodeForSQL interface and switch to parameterized queries or other SQL injection prevention methods.
Code modification required - replace Encoder.encodeForSQL calls with prepared statements or other secure alternatives
🧯 If You Can't Patch
- Implement strict input validation and use parameterized queries instead of relying on ESAPI's encodeForSQL
- Deploy web application firewall (WAF) with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check if your application uses ESAPI esapi-java-legacy version below 2.7.0.0 and calls Encoder.encodeForSQL method.Check Version:
Check Maven/Gradle dependencies or examine ESAPI jar file versionVerify Fix Applied:
Verify ESAPI version is 2.7.0.0 or higher and that the application no longer uses Encoder.encodeForSQL or uses it with proper warnings.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple failed SQL query attempts
- Warnings about deprecated Encoder.encodeForSQL usage
Network Indicators:
- Unusual database connection patterns
- SQL injection payloads in HTTP requests
SIEM Query:
source="application_logs" AND ("SQL error" OR "encodeForSQL" OR "SQLException")🔗 References
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin13.pdf
- https://github.com/ESAPI/esapi-java-legacy/commit/e2322914304d9b1c52523ff24be495b7832f6a56
- https://github.com/ESAPI/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512
- https://github.com/ESAPI/esapi-java-legacy/releases/tag/esapi-2.7.0.0
- https://github.com/uglory-gll/javasec/blob/main/ESAPI.md
- https://vuldb.com/?ctiid.314321
- https://vuldb.com/?id.314321
- https://vuldb.com/?submit.590149
- https://vuldb.com/?submit.590150
- https://lists.debian.org/debian-lts-announce/2025/07/msg00010.html
