CVE-2025-24975

Aug. 15, 2025, 3:15 p.m.

7.1
High

Description

Firebird is a relational database. Prior to snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if ExtConnPoolSize is not set equal to 0. If connections stored in ExtConnPool are not verified for presence and suitability of the CryptCallback interface is used when created versus what is available could result in a segfault in the server process. Encrypted databases, accessed by execute statement on external, may be accessed later by an attachment missing a key to that database. In a case when execute statement are chained, segfault may happen. Additionally, the segfault may affect unencrypted databases. This issue has been patched in snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609 and point releases 4.0.6 and 5.0.2. A workaround for this issue involves setting ExtConnPoolSize equal to 0 in firebird.conf.

Product(s) Impacted

Vendor Product Versions
Firebird
  • Firebird
  • <4.0.6.3183, <5.0.2.1610, <6.0.0.609

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-754
Improper Check for Unusual or Exceptional Conditions
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a firebird firebird <4.0.6.3183 / / / / / / /
a firebird firebird <5.0.2.1610 / / / / / / /
a firebird firebird <6.0.0.609 / / / / / / /

References

https://github.com/FirebirdSQL/firebird/commit/658abd20449f72097fbbce57e8e6ae42ff837fb6
https://github.com/FirebirdSQL/firebird/issues/8429
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-fx9r-rj68-7p69

Tags

security-advisories@github.com
CWE-754
2025-08-15
CVE-2025-24975

CVSS Score

7.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

    View Vector String

Timeline

Published: Aug. 15, 2025, 3:15 p.m.
Last Modified: Aug. 15, 2025, 3:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.