Firebird database: DoS vulnerabilities and potentially unauthorized access

The developers have closed two security gaps in the relational SQL database Firebird. These enabled attackers to paralyze servers with manipulated queries – or, under certain circumstances, even gain unauthorized access to data that was actually encrypted.

The more serious vulnerability concerns the pool of external connections (ExtConnPool). If this is active, connections stored in it are not checked again to see whether the CryptCallback APIs used when they were created are actually still present and suitable. As a result, encrypted databases can be accessed when external SQL statements are executed that are later accessed with attachments that lack a key to the database. A segfault can also occur with such chained execute statements, even on unencrypted databases, and thus paralyze the server processes (denial of service). The vulnerability has received the CVE entry CVE-2025-24975 / EUVD-2025-25030 with a CVSS value of 7.1 and a risk rating of “high.”

This affects FIrebirdSQL up to and including 5.0.3 and 4.0.7. The errors correct the snapshots 6.0.0.609, 5.0.2.1610, and 4.0.6.3183 and newer.

Second security vulnerability in Firebird

Before versions 5.0.3, 4.0.6, and 3.0.13, NULL pointer dereferences can occur when processing XDR messages, i.e., resources that have already been released can be released again. This results in a process crash, i.e., a denial of service (CVE-2025-54989 / EUVD-2025-25032, CVSS 5.3, risk “medium”).

IT managers should ensure that the Firebird versions are updated to the latest versions. The updated source codes are available on Github. The bug-fixed version 5.0.3, for example, has been available for various operating systems since mid-July. However, the CVE entries for the security vulnerabilities closed with it have only now been published.

(dmk)