How to fix EUVD-2025-209528?

Within 24 hours: Inventory all systems running Firebird 3.x client libraries and identify connections to Firebird 4+ servers. Within 7 days: Upgrade affected Firebird 3.x client libraries to Firebird 4.0.0 or higher on all systems; prioritize servers handling sensitive data. Within 30 days: Validate all upgrades in production and conduct access logs review for any suspicious local authenticated activity during the exposure window.

EUVD-2025-209528

| CVE-2025-65104 HIGH

2026-04-17 GitHub_M

Information Disclosure

7.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

Low

Lifecycle Timeline

patch_available

Apr 17, 2026 - 19:16 EUVD

Re-analysis Queued

Apr 17, 2026 - 19:07 vuln.today

cvss_changed

Analysis Generated

Apr 17, 2026 - 18:44 vuln.today

DescriptionNVD

Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher.

AnalysisAI

Information disclosure in Firebird 3.x client library when connecting to Firebird 4+ servers allows local authenticated users to leak sensitive data through incorrect XSQLDA field length values. The vulnerability requires both the FB3 client library and an FB4+ server in the deployment. No active exploitation confirmed (not in CISA KEV), but CVSS 7.9 with scope change (S:C) indicates potential cross-boundary impact. Remediation requires upgrading the client library to Firebird 4.0.0 or higher.

Technical ContextAI

Firebird is an open-source SQL relational database management system supporting ANSI SQL standards. XSQLDA (Extended SQL Descriptor Area) is a data structure used in Firebird's client-server protocol to describe the format and metadata of query parameters and result sets. The vulnerability stems from CWE-200 (Exposure of Sensitive Information) where the FB3 client library incorrectly populates data length fields in XSQLDA structures during inter-version communication with FB4+ servers. This protocol-level incompatibility causes the client to misinterpret buffer boundaries, potentially exposing memory contents beyond intended data boundaries. The affected component is specifically the FB3 client library (cpe:2.3:a:firebirdsql:firebird:*:*:*:*:*:*:*:*), not the server itself, making this a client-side library vulnerability dependent on server version interaction.

RemediationAI

Upgrade all Firebird client libraries to version 4.0.0 or higher, available at https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.0. This is a client-side fix requiring application redeployment or library updates on systems running database client applications, not server patching. For environments unable to immediately upgrade client libraries, enforce network segmentation to limit local access to systems running Firebird clients, and audit all users with local system access (PR:L requirement). Alternatively, downgrade Firebird servers to 3.x versions to match client library versions, though this sacrifices FB4+ features and may introduce other security regressions. Monitor database connection logs for unexpected data access patterns that could indicate information leak exploitation. No server-side configuration workaround exists - this requires binary client library replacement.

EUVD-2025-209528 vulnerability details – vuln.today

Back