A critical vulnerability has been discovered in the popular PHP library, adodb, which is widely used in PHP projects for abstracting access to the DBMS. This vulnerability, identified as CVE-2025-46337, allows attackers to substitute SQL requests, posing a significant risk to applications using adodb. With approximately 3 million installations from the packagist repository, this vulnerability has been assigned a severity level of 10 out of 10.
The vulnerability affects adodb version 5.22.9 and is specifically manifested when adodb is used with the PostgreSQL DBMS in applications that utilize the PG_insert_ID() method. The issue arises when unverified external data is passed as the $FieldName parameter, leading to SQL injection attacks. The root cause of this vulnerability has been identified as an error in the postgreSQL associated with the lack of proper shielding of special characters in the $titlename and $fieldname parameters before they are used in the pg_insert_id() function to construct a sequence name.