SB2025050709 - Multiple vulnerabilities in SQLite
Published: May 7, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2025-29088)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow within the sqlite3_db_config() function. A remote attacker can pass specially crafted data to the application, trigger an integer overflow and crash the application.
2) Integer overflow (CVE-ID: CVE-2025-29087)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow within the concat_ws() function. A remote attacker who can control the separator argument can pass an on overly large string to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://gist.github.com/ylwango613/d3883fb9f6ba8a78086356779ce88248
- https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
- https://sqlite.org/forum/forumpost/48f365daec
- https://sqlite.org/releaselog/3_49_1.html
- https://www.sqlite.org/cves.html
- https://gist.github.com/ylwango613/a44a29f1ef074fa783e29f04a0afd62a