ESAPI esapi-java-legacy up to 2.6.2.0 SQL Injection Defense Encoder.encodeForSQL special element
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.9 | $0-$5k | 0.12 |
Summary
A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been disclosed to the public. The project was contacted early about this issue and handled it with an exceptional level of professionalism. Upgrading to version 2.7.0.0 is able to address this issue. Commit ID f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by default and any attempt to use it will trigger a warning. And commit ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the misleading Java class documentation to warn about the risks.
Details
A vulnerability was found in ESAPI esapi-java-legacy (Software Library) and classified as critical. This issue affects the function Encoder.encodeForSQL of the component SQL Injection Defense. The manipulation with an unknown input leads to a special element vulnerability. Using CWE to declare the problem leads to CWE-138. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. Impacted is confidentiality, integrity, and availability.
The weakness was released by Longlong Gong. The advisory is shared at github.com. The identification of this vulnerability is CVE-2025-5878. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details as well as a public exploit are known.
A public exploit has been developed by Longlong Gong. It is declared as proof-of-concept. The project was contacted early about this issue and handled it with an exceptional level of professionalism. In the new release the feature was disabled by default and any attempt to use it will trigger a warning. Furthermore, the misleading Java class documentation was updated to warn about the risks. The vulnerability scanner Nessus provides a plugin with the ID 242493 (Debian dla-4246 : libowasp-esapi-java - security update), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 2.7.0.0 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the vulnerability database at Tenable (242493). github.com is providing further details. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
Version
- 2.0-rc10
- 2.0-rc11
- 2.0.1
- 2.0GA1
- 2.1.0
- 2.1.0.1
- 2.2.0.0
- 2.2.0.0-RC1
- 2.2.0.0-RC2
- 2.2.0.0-RC3
- 2.2.1.0
- 2.2.1.0-RC1
- 2.2.1.1
- 2.2.2.0
- 2.2.3.0
- 2.2.3.1
- 2.3.0.0
- 2.4.0.0
- 2.5.0.0
- 2.5.1.0
- 2.5.2.0
- 2.5.3.0
- 2.5.3.1
- 2.5.4.0
- 2.5.5.0
- 2.6.0.0
- 2.6.1.0
- 2.6.2.0
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CNA CVSS-B Score: 🔒
CNA CVSS-BT Score: 🔒
CNA Vector: 🔒
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.9
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 7.3
CNA Vector: 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Special elementCWE: CWE-138 / CWE-20
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Access: Public
Status: Proof-of-Concept
Author: Longlong Gong
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 242493
Nessus Name: Debian dla-4246 : libowasp-esapi-java - security update
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: esapi-java-legacy 2.7.0.0
Patch: f75ac2c2647a81d2cfbdc9c899f8719c240ed512
Timeline
06/28/2025 Advisory disclosed06/28/2025 VulDB entry created
07/22/2025 VulDB entry last update
Sources
Product: github.comAdvisory: github.com
Researcher: Longlong Gong
Status: Confirmed
Confirmation: 🔒
CVE: CVE-2025-5878 (🔒)
GCVE (CVE): GCVE-0-2025-5878
GCVE (VulDB): GCVE-100-314321
scip Labs: https://www.scip.ch/en/?labs.20150716
Misc.: 🔒
Entry
Created: 06/28/2025 09:20Updated: 07/22/2025 16:43
Changes: 06/28/2025 09:20 (61), 06/28/2025 09:21 (4), 06/29/2025 06:31 (2), 06/29/2025 13:13 (3), 06/29/2025 15:08 (30), 07/22/2025 16:43 (2)
Complete: 🔍
Submitter: uglory
Cache ID: 216:6AC:103
Submit
Accepted
- Submit #590149: ESAPI esapi-java-legacy 2.6.2.0 SQL injection filtering bypass1 (by uglory)
Duplicate
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.