CVE-2025-29087

In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.

CVSS v3 3.2 LOW

3.2^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.4 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://gist.github.com/ylwango613/a44a29f1ef074fa783e29f04a0afd62a	Third Party Advisory
https://sqlite.org/releaselog/3_49_1.html	Release Notes
https://www.sqlite.org/cves.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-04-07 20:15

Updated : 2025-04-30 12:43

NVD link : CVE-2025-29087

Mitre link : CVE-2025-29087

CVE.ORG link : CVE-2025-29087

JSON object : View

Products Affected

sqlite

sqlite

CWE

CWE-190

Integer Overflow or Wraparound

{"id": "CVE-2025-29087", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.2, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.4}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-04-07T20:15:20.253", "references": [{"url": "https://gist.github.com/ylwango613/a44a29f1ef074fa783e29f04a0afd62a", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://sqlite.org/releaselog/3_49_1.html", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://www.sqlite.org/cves.html", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-190"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-190"}]}], "descriptions": [{"lang": "en", "value": "In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory."}, {"lang": "es", "value": "Sqlite 3.49.0 es susceptible al desbordamiento de enteros a trav\u00e9s de la funci\u00f3n concat."}], "lastModified": "2025-04-30T12:43:22.310", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42F127F3-9545-4944-86C7-38FE88E9DEBA", "versionEndExcluding": "3.49.1", "versionStartIncluding": "3.44.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}