CVE-2025-29087 - Exploiting an Out-of-Bounds Write in SQLite's concat_ws() - PoC and Analysis

*Posted on June 21, 2024 by infosec_vault*

What is CVE-2025-29087?

CVE-2025-29087 is a newly disclosed vulnerability in SQLite affecting versions 3.44. through 3.49. (before 3.49.1). The bug is related to the concat_ws() SQL function, which can allow an attacker to write memory beyond the intended buffer space, potentially leading to a crash, data corruption, or even remote code execution under certain conditions.

Why Is This Important?

SQLite is the most-deployed database engine in the world, commonly embedded in software, mobile apps, and browsers. Vulnerabilities like this are extremely valuable to attackers because of the massive install base.

How Does The Vulnerability Work?

The root problem lies in concat_ws(separator, value1, value2, ...). If the separator argument is a long string (2MB+), an integer overflow can happen during the calculation of the result buffer length. Due to the overflow, SQLite does not allocate enough memory, and when it writes the output, data ends up outside the bounds of the buffer.

In simple words: If someone can control separator and make it really big, they can break out of the memory box SQLite intended for writing, which could lead to instability or—worst case—malicious code being run.

Let's see how this looks in code

-- Set up a huge string (over 2MB)
WITH
  bigsep(str) AS (
    SELECT hex(zeroblob(2 * 1024 * 1024)) -- 2MB of separator
  )
SELECT concat_ws(
    (SELECT str FROM bigsep), -- Attacker controlled separator
    'a',
    'b'
)
;

We create a CTE (common table expression) bigsep that creates a string over 2MB long.

2. This is passed as the separator to concat_ws(), which will try to allocate space for the resulting joined string.
3. Due to the calculation overflow, not enough space is reserved. This means the actual concat_ws() writes past the end of the buffer allocated by malloc.

In an actual exploit scenario, the allocation and overwrite could be abused for arbitrary code execution, especially if the attacker can control what memory gets over-written, but even a process crash is bad in many contexts.

Patch and Mitigation

The bug is fixed in SQLite 3.49.1.
You can find the official release note here.

Upgrade to SQLite 3.49.1 or later as soon as possible.

- Sanitize user inputs that are used as arguments to concat_ws() if upgrading is not immediately possible.

Where's the bug?

In the internal implementation (see SQLite source), concat_ws() works something like this (simplified):

size_t nSep = strlen(separator);
size_t nTotal = /* calculated based on separator and value lengths */;
char* zOut = sqlite3_malloc64(nTotal + 1); // <= Here

But if nSep * num_values overflows, nTotal wraps around and is *less* than needed. Then, a later loop writes more bytes than were allocated.

References

- CVE-ID: CVE-2025-29087
- SQLite Release Log (3.49.1): https://sqlite.org/releaselog/3_49_1.html
- SQLite concat_ws() docs: https://sqlite.org/lang_corefunc.html#concat_ws

Final Thoughts

It's rare to see a memory corruption bug in mature projects like SQLite, but heavy reliance and wide usage mean even small oversights have big impacts. If you're a developer, update immediately. If you manage systems that let users influence SQL execution—double check your SQLite version now.

Stay Safe!

*If you found this article useful, share it and lets spread the word about secure coding and design!*

Timeline

Published on: 04/07/2025 20:15:20 UTC
Last modified on: 04/15/2025 16:16:06 UTC