Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionGitHub Advisory
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
AnalysisAI
Remote code execution in Firebird RDBMS versions prior to 5.0.4, 4.0.7, and 3.0.14 allows authenticated users with CREATE FUNCTION privileges to execute arbitrary code as the database server process through path traversal in the external engine plugin loader. The vulnerability stems from insufficient input validation (CWE-22) when concatenating user-supplied engine names into filesystem paths, enabling attackers to load malicious shared libraries from arbitrary locations. With CVSS 10.0 and scope change (S:C), successful exploitation grants full system compromise beyond database boundaries. EPSS data not provided, no CISA KEV listing identified, indicating targeted rather than widespread exploitation at time of analysis. Vendor-released patches available across all affected major versions.
Technical ContextAI
Firebird's external engine plugin architecture allows database functions to invoke code from dynamically loaded shared libraries (.so/.dll files). The plugin loader accepts user-controlled ENGINE parameter values during CREATE FUNCTION statements and constructs filesystem paths by string concatenation without proper sanitization. Path traversal vulnerability (CWE-22) occurs because the loader fails to strip directory separators (../, ../../) or validate that the resulting path stays within intended plugin directories. When loading the attacker-specified library, the operating system executes initialization routines (_init sections, DllMain, or constructor functions) before Firebird performs module validation, creating a pre-validation code execution window. The affected CPE (cpe:2.3:a:firebirdsql:firebird) covers all deployment modes of Firebird RDBMS. The scope change metric (S:C) reflects that library code executes with the server's OS privileges, breaking out of the database's security context to impact the underlying system.
RemediationAI
Upgrade immediately to Firebird 5.0.4 (https://github.com/FirebirdSQL/firebird/releases/tag/v5.0.4), 4.0.7 (https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.7), or 3.0.14 (https://github.com/FirebirdSQL/firebird/releases/tag/v3.0.14) depending on your major version branch. These releases include input validation fixes that sanitize ENGINE parameter values and restrict plugin loading to designated directories. If immediate patching is not feasible, implement defense-in-depth controls: revoke CREATE FUNCTION privileges from all non-administrative accounts through GRANT/REVOKE commands, restricting this capability to a minimal set of trusted DBAs (note: this breaks applications that dynamically create UDFs and requires code changes). Configure firewall rules or network segmentation to block direct network access to Firebird ports (default 3050/tcp) from untrusted networks, forcing access through application tiers that do not expose CREATE FUNCTION capabilities (trade-off: does not mitigate insider threats or compromised application accounts). Enable Firebird's audit logging to monitor CREATE FUNCTION statements for anomalous ENGINE values containing path traversal patterns. No workaround fully mitigates the vulnerability without patching.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23496