A particularly serious security flaw has been discovered in the ADOdb library, a popular database retrieval library for PHP, which is widely used in many web applications and enterprise systems. The vulnerability, designated CVE – 2025-46337, affects all ADOdb versions before 5.22.9 and is rated with a maximum CVSS score of 10, the highest severity on the international standard scale.
The cause of the vulnerability stems from the fact that the ADOdb library unsafely handles user – provided input when this data is passed into the $fieldname parameter of the pg_insert_id() function. During SQL query construction, this parameter is not properly checked, constrained, or cleaned up, which facilitates attackers inserting malicious pieces of SQU code. This is an SQL Injection, one of the most common but also one of most dangerous for database – connected web applications.
The site of direct influence is the pg insertid() function in ADOdb’s PostgreSQL driver. The vulnerability affects various PostgreSQL drivers, including postgres64, postgares7, post gres8, and postgresh9, making the scope of impact broad, especially with older systems or systems that have not been regularly updated. As ADOdb is often integrated deep within the application’s data access layer, this vulnerability can be exploited without being easily detected.
If successfully mined, CVE-2025-46337 could lead to many serious consequences. An attacker can execute arbitrary SQL commands, illegally access sensitive data, edit or delete entire data tables in the database. In more dangerous scenarios, if the database account that the application uses has high permissions, the attacker may even gain control over the entire database system, disrupting the service or causing serious data loss.
The risk is particularly high when data transmitted into the $fieldname parameter is obtained directly from HTTP requests, user forms, or URL parameters without close control. In this case, the attacker only needs to send a pre-engineered request to control the SQL execution stream, thereby stealing the data, sabotaging the system, or paving the way for further forms of attack, including remote code execution depending on the system configuration and the database’s permissions.
In response to this serious threat, developers and system administrators were advised to immediately update to ADOdb 5.22.9, in which the vulnerability was fixed via an official patch (commit 11107d6). For systems that can not be upgraded immediately for compatibility or operational reasons, temporary mitigation measures such as strict control of the transmission data into the $fieldname parameter, and use of pg escape identifier() for safe handling before putting the system into an SQL query, are recommended.
Active input updating and control not only eliminates the risk from CVE-2025-46337 but also contributes to an overall safety level for PHP applications using ADOdb in the context of increasingly sophisticated and deliberate cyberattacks.
