CVE-2025-65104

Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher.

CVSS v3 7.9 HIGH

7.9^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.0 / Impact : 5.3

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.0	Product Release Notes
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-mfpr-9886-xjhg	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:firebirdsql:firebird:*:*:*:*:*:*:*:*

History

24 Apr 2026, 20:27

Type	Values Removed	Values Added
First Time		Firebirdsql firebird Firebirdsql
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:firebirdsql:firebird::::::::
References	~~() https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.0 -~~	() https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.0 - Product, Release Notes
References	~~() https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-mfpr-9886-xjhg -~~	() https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-mfpr-9886-xjhg - Vendor Advisory

17 Apr 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-17 18:16

Updated : 2026-04-24 20:27

NVD link : CVE-2025-65104

Mitre link : CVE-2025-65104

CVE.ORG link : CVE-2025-65104

JSON object : View

Products Affected

firebirdsql

firebird

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2025-65104", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.9, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 5.3, "exploitabilityScore": 2.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-04-17T18:16:30.773", "references": [{"url": "https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.0", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-mfpr-9886-xjhg", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher."}], "lastModified": "2026-04-24T20:27:22.923", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:firebirdsql:firebird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53D811A2-F880-46E9-9F7F-1CE3AC487F67", "versionEndExcluding": "3.0.14"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}