Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-8x27-jwjr-8545

GitHub Security Advisory

SQL injection in ADOdb PostgreSQL driver pg_insert_id() method

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data.

Note that the indicated Severity corresponds to a worst-case usage scenario.

### Impact
PostgreSQL drivers (postgres64, postgres7, postgres8, postgres9).

### Patches
Vulnerability is fixed in ADOdb 5.22.9 (11107d6d6e5160b62e05dff8a3a2678cf0e3a426).

### Workarounds
Only pass controlled data to pg_insert_id() method's $fieldname parameter, or escape it with pg_escape_identifier() first.

### References
- Issue https://github.com/ADOdb/ADOdb/issues/1070
- [Blog post](https://xaliom.blogspot.com/2025/05/from-sast-to-cve-2025-46337.html) by Marco Nappi

### Credits
Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.

Affected Packages

Packagist adodb/adodb-php
Affected versions: 0 (fixed in 5.22.9)

Related CVEs

CVE-2025-46337

Key Information

GHSA ID
GHSA-8x27-jwjr-8545
Published
May 1, 2025 1:59 PM
Last Modified
May 26, 2025 6:30 PM
CVSS Score
9.0 /10
Primary Ecosystem
Packagist
Primary Package
adodb/adodb-php
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 9, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.