{"id":"CVE-2025-5878","details":"A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been disclosed to the public. The project was contacted early about this issue and handled it with an exceptional level of professionalism. Upgrading to version 2.7.0.0 is able to address this issue. Commit ID f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by default and any attempt to use it will trigger a warning. And commit ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the misleading Java class documentation to warn about the risks.","modified":"2026-04-12T18:25:22.538430Z","published":"2025-06-29T12:15:23.633Z","references":[{"type":"WEB","url":"https://vuldb.com/?submit.590150"},{"type":"WEB","url":"https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin13.pdf"},{"type":"WEB","url":"https://github.com/ESAPI/esapi-java-legacy/releases/tag/esapi-2.7.0.0"},{"type":"WEB","url":"https://github.com/uglory-gll/javasec/blob/main/ESAPI.md"},{"type":"WEB","url":"https://vuldb.com/?submit.590149"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/07/msg00010.html"},{"type":"WEB","url":"https://vuldb.com/?ctiid.314321"},{"type":"WEB","url":"https://vuldb.com/?id.314321"},{"type":"FIX","url":"https://github.com/ESAPI/esapi-java-legacy/commit/e2322914304d9b1c52523ff24be495b7832f6a56"},{"type":"FIX","url":"https://github.com/ESAPI/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/esapi/esapi-java-legacy","events":[{"introduced":"0"},{"fixed":"e2322914304d9b1c52523ff24be495b7832f6a56"}]},{"type":"GIT","repo":"https://github.com/esapi/esapi-java-legacy","events":[{"introduced":"0"},{"fixed":"f75ac2c2647a81d2cfbdc9c899f8719c240ed512"}]},{"type":"GIT","repo":"https://github.com/esapi/esapi-java-legacy","events":[{"introduced":"0"},{"fixed":"0fa4c0f1311aa525b1a776f0a789fb1dc8a04b41"}]}],"versions":["esapi-2.1.0.1","esapi-2.2.0.0","esapi-2.2.0.0-RC1","esapi-2.2.0.0-RC3","esapi-2.2.1.0","esapi-2.2.1.0-RC1","esapi-2.2.1.1","esapi-2.2.2.0","esapi-2.2.3.1","esapi-2.4.0.0","esapi-2.5.0.0","esapi-2.5.1.0","esapi-2.5.2.0","esapi-2.5.3.0","esapi-2.5.3.1","esapi-2.5.4.0","esapi-2.5.5.0","esapi-2.6.0.0","esapi-2.6.1.0","esapi-2.6.2.0"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Line","id":"CVE-2025-5878-08b0d07b","target":{"file":"src/main/java/org/owasp/esapi/logging/appender/EventTypeLogSupplier.java"},"digest":{"threshold":0.9,"line_hashes":["259388097198371837559672738287652199800","277674549001955512494774097668045439661","27269329513755891943417205002838130930","170393567472227285846977983930096536714"]},"deprecated":false},{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Line","id":"CVE-2025-5878-5677793b","target":{"file":"src/main/java/org/owasp/esapi/codecs/OracleCodec.java"},"digest":{"threshold":0.9,"line_hashes":["183146616361148965537819982065200626134"]},"deprecated":false},{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Line","id":"CVE-2025-5878-632dbdf1","target":{"file":"src/main/java/org/owasp/esapi/ESAPI.java"},"digest":{"threshold":0.9,"line_hashes":["56392164223428297268639927584799926717","183360325294708023935793418903462672659","199583536320717969248155255476799489264","158118457830090772362412773112197863983","38387150757756498672868468949315252000","137177912045843630481387579434061167285","49363872115192778680630522808682548984","79995470562482323975297689482979392453","164720149460119589505873959403321068384","12772214332612930210529070340618888782","29862241234633165751997624982246578269","314400715681256859011801040321482316284"]},"deprecated":false},{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Line","id":"CVE-2025-5878-679cc0e6","target":{"file":"src/main/java/org/owasp/esapi/Encoder.java"},"digest":{"threshold":0.9,"line_hashes":["156717101426669207409307248498396890243","274580407148830131019006230474892710733","275650284908587968382622479071621830700","159773795474788244427156022860940475062"]},"deprecated":false},{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Line","id":"CVE-2025-5878-85aac7d2","target":{"file":"src/main/java/org/owasp/esapi/codecs/DB2Codec.java"},"digest":{"threshold":0.9,"line_hashes":["333863730340014388616627392134887332451"]},"deprecated":false},{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Line","id":"CVE-2025-5878-979fa0cd","target":{"file":"src/main/java/org/owasp/esapi/logging/appender/UserInfoSupplier.java"},"digest":{"threshold":0.9,"line_hashes":["78185648116253102768375119637096471965","196628448922058530216139797154032866351","85806314240835767335357649207492738874","124762406652836051260445249010762762035"]},"deprecated":false},{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Line","id":"CVE-2025-5878-a3967b33","target":{"file":"src/main/java/org/owasp/esapi/logging/appender/ClientInfoSupplier.java"},"digest":{"threshold":0.9,"line_hashes":["148140590938255614012338009243310523450","91471175774967976603115943235613950273","253034413205485937621184235871853638272","2832513841800657665011768104301571186","124858907227551459462430460719811774160"]},"deprecated":false},{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Line","id":"CVE-2025-5878-a6b4831f","target":{"file":"src/main/java/org/owasp/esapi/errors/NotConfiguredByDefaultException.java"},"digest":{"threshold":0.9,"line_hashes":["291660298853204130820671660600335171806","125752636268214573104362834421143053607","334487115726112593148314634597965177253","180709381012414953472462113759399508023","72206306135830103607810353178737729712","51592832925159533192707989717943717513","234165386927054537163327245643557856781","64533737205058984518921250174557045516","53039447521312389633398729357400926038","242519711400674636365351439009038347025","298950279649195804679773808699583639920","255135975045513704765603851385540600741","296874259481473836257716266322117084192"]},"deprecated":false},{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Line","id":"CVE-2025-5878-b22d5489","target":{"file":"src/main/java/org/owasp/esapi/logging/appender/ServerInfoSupplier.java"},"digest":{"threshold":0.9,"line_hashes":["106883142560372038858421468918369683538","9709850194829244486584414514544732322","237028420746334491314928599123040907060","242516055294871037212057213859942652184"]},"deprecated":false},{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Line","id":"CVE-2025-5878-c35e7dc1","target":{"file":"src/main/java/org/owasp/esapi/codecs/MySQLCodec.java"},"digest":{"threshold":0.9,"line_hashes":["55992735827058081991865598031103638511"]},"deprecated":false},{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Function","id":"CVE-2025-5878-d1c80ae2","target":{"file":"src/main/java/org/owasp/esapi/reference/DefaultEncoder.java","function":"encodeForSQL"},"digest":{"length":136,"function_hash":"73677398524707642877487517951323682304"},"deprecated":false},{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Function","id":"CVE-2025-5878-eec27328","target":{"file":"src/main/java/org/owasp/esapi/errors/NotConfiguredByDefaultException.java","function":"NotConfiguredByDefaultException"},"digest":{"length":68,"function_hash":"329843847068552324655743178063563805308"},"deprecated":false},{"signature_version":"v1","source":"https://github.com/esapi/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512","signature_type":"Line","id":"CVE-2025-5878-f6e65c5f","target":{"file":"src/main/java/org/owasp/esapi/reference/DefaultEncoder.java"},"digest":{"threshold":0.9,"line_hashes":["192089114585388789990893561331574716133","238476779877969261258907709287164195997","325692205290697016915339287608369611062","268773625771991515073002661340709827094","52227034322125724006930691659249729867","19838639288940566920634414954080795745","305726610693389342861174578806069833525","192972729579528778067826310378819546667"]},"deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-5878.json","vanir_signatures_modified":"2026-04-12T18:25:22Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}