CVE-2025-46337: SQL injection in ADOdb PostgreSQL driver pg_insert_id() method
(updated )
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pg_insert_id() with user-supplied data.
Note that the indicated Severity corresponds to a worst-case usage scenario.
References
- github.com/ADOdb/ADOdb
- github.com/ADOdb/ADOdb/commit/11107d6d6e5160b62e05dff8a3a2678cf0e3a426
- github.com/ADOdb/ADOdb/issues/1070
- github.com/ADOdb/ADOdb/security/advisories/GHSA-8x27-jwjr-8545
- github.com/advisories/GHSA-8x27-jwjr-8545
- nvd.nist.gov/vuln/detail/CVE-2025-46337
- xaliom.blogspot.com/2025/05/from-sast-to-cve-2025-46337.html
Code Behaviors & Features
Detect and mitigate CVE-2025-46337 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →