CVE-2025-29087

low

Description

In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.

References

https://www.sqlite.org/cves.html

https://sqlite.org/releaselog/3_49_1.html

https://gist.github.com/ylwango613/a44a29f1ef074fa783e29f04a0afd62a

Details

Source: Mitre, NVD

Published: 2025-04-07

Updated: 2025-04-15

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 3.2

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

Severity: Low

EPSS

EPSS: 0.00018