{"id":"CVE-2025-29087","details":"In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.","aliases":["BIT-sqlite-2025-29087"],"modified":"2026-03-23T05:02:25.088157Z","published":"2025-04-07T20:15:20.253Z","related":["SUSE-SU-2025:01455-1","SUSE-SU-2025:01456-1","SUSE-SU-2025:01456-2","SUSE-SU-2025:1455-1","SUSE-SU-2025:1456-1","SUSE-SU-2025:20323-1","SUSE-SU-2025:20395-1","openSUSE-SU-2025:14991-1"],"references":[{"type":"ADVISORY","url":"https://gist.github.com/ylwango613/a44a29f1ef074fa783e29f04a0afd62a"},{"type":"ADVISORY","url":"https://sqlite.org/releaselog/3_49_1.html"},{"type":"ADVISORY","url":"https://www.sqlite.org/cves.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sqlite/sqlite","events":[{"introduced":"66476771b77e3c0df9d406d912486c43ac726fab"},{"fixed":"3cd92ce875fd4e5601e535c35fef33494a6684e3"}],"database_specific":{"versions":[{"introduced":"3.44.0"},{"fixed":"3.49.1"}]}}],"versions":["major-relase","relase","version-3.44.0","version-3.45.0","version-3.46.0","version-3.47.0","version-3.48.0","version-3.49.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-29087.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}