In SQLite versions 3.44.0 through 3.49.0, prior to 3.49.1, the concat_ws() SQL function has a vulnerability that allows memory to be written beyond the end of a malloc-allocated buffer. This occurs when the separator argument is controlled by an attacker and has a large string, such as 2MB or more. An integer overflow can happen while calculating the result buffer's size, resulting in insufficient memory allocation by malloc.
The CVSS score for this vulnerability is 3.2, categorizing it as low severity. While the low score indicates a lower immediate risk, it is important for organizations using SQLite to remain vigilant. If exploited, this vulnerability could lead to unexpected behavior, including potential application crashes due to memory issues.
Currently, there are no known exploits for this vulnerability in the wild, and it is not classified as actively exploited. However, organizations should still address it during their routine patch management processes.
Organizations should prioritize patching immediately, ensuring they upgrade to version 3.49.1 or later to mitigate this risk.
The vulnerability was published on April 7, 2025, and is tracked under CWE-190, which refers to an integer overflow.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)