CVE-2025-54989

Firebird XDR Message Parsing NULL Pointer Dereference Denial-of-Service Vulnerability

Description

Firebird is a relational database. Prior to versions 3.0.13, 4.0.6, and 5.0.3, there is an XDR message parsing NULL pointer dereference denial-of-service vulnerability in Firebird. This specific flaw exists within the parsing of xdr message from client. It leads to NULL pointer dereference and DoS. This issue has been patched in versions 3.0.13, 4.0.6, and 5.0.3.

References

Link	Tags
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-7qp6-hqxj-pjjp	third party advisory
https://github.com/FirebirdSQL/firebird/issues/8554	issue tracking
https://github.com/FirebirdSQL/firebird/commit/169da595f8693fc1a65a79c741724b1bc8db9f25	patch

Frequently Asked Questions

What is the severity of CVE-2025-54989?: CVE-2025-54989 has been scored as a medium severity vulnerability.
How to fix CVE-2025-54989?: To fix CVE-2025-54989, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-54989 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-54989 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-54989?: CVE-2025-54989 affects FirebirdSQL firebird.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-476 – NULL Pointer Dereference

References

Frequently Asked Questions