Summary
A bug in the Firebird server was found by the Zero Day Initiative (ZDI) program. The bug exploits a weakness in Firebird’s remote protocol.
The official CVE record is published here.
Affected versions
This bug has existed in the code base since InterBase 6 (or earlier.) All versions of Firebird released prior to 5th May 2025 are affected.
Fixed Versions
Fixed in snapshots released for v3, v4 and v5 after 5th May.
Fixed by the Firebird Project in official releases of v3.0.13, v4.0.6, v5.0.3.
These were made available on 14th/15th July 2025
Fixed by IBPhoenix via a special build for v2.5.9
Available since 12th August 2025 from IBPhoenix.
Description
The vulnerability allows remote unauthenticated users to cause a denial of service via a NULL pointer dereference and subsequent crash of the server.
A malicious user can cause a DoS attack on a Firebird server by sending a specific sequence of bytes. It is not necessary to be logged in to the server. To exploit the vulnerability, it is sufficient to have access to the Firebird port.
It should be noted that the Classic server architecture is less vulnerable, inasmuch as existing connections will remain active. However if the attack is sustained no new connections will be possible for the lifetime of the attack, no matter which architecture is used.
It is not known if a proof of concept has been developed. However, once the vulnerability is published one should expect rogue users to develop an attack. With increased access to AI based code generation models the bar to exploit development has been lowered considerably.
Severity
This is not a 'drop what you are doing and fix it now' bug. The CVE rates its severity at medium with a CVSS score of 5.3. Fully secure internal networks are unlikely to be affected.
However three groups of Firebird users are vulnerable:
- Obviously servers with a publicly accessible IP address are at the greatest risk.
- Internal networks that do not have total control over its users may also be at risk.
- Application resellers that ship Firebird to their customers should also consider deploying this upgrade as they probably cannot control their customers' network environment.
Recommendations
Users should update their installation to a fixed version.
Where to download the binaries
The Firebird Project has fixed this bug in the latest releases of all branches currently supported:
About the special build for Firebird 2.5.9
Firebird 2.5 is no longer supported by the Firebird project. However it's still supported by IBPhoenix.
We have produced a special build of Firebird 2.5.9 with this fix. There are no other changes to the source code for this build other than the fix itself. It is intended to be dropped in to an existing setup. Users can be confident that only minimal acceptance testing will be required.
You can get both 64-bit and 32-bit builds for Windows from our store for whatever price you see fair for our effort (including for free).
Special patched builds for other branches
Every Firebird release undergoes rigourous QA but even point releases include minor improvements, as well as a host of bug fixes. For operational reasons you may wish or need to remain on a special point release of Firebird. IBPhoenix can provide a custom build of that release with just this patch. If this interests you please get in touch.
A brief history of Firebird Database Vulnerabilities
Over the years there have been just 40 vulnerabilities reported for Firebird according to NIST. And of these two are related to poor deployment practice of a software company deploying Firebird as part of their application. Since its beginnings Firebird typically averages 1 report per year. The year 2007 was an outlier with 18 reports, and seven of the last 25 years had no reports at all.
And a comparison with other vendors
A brief study of the NIST web site indicates that most RDBMS’s consistently see an average of 20 or more vulnerabilities published every year. Larger projects with larger user bases seem to have more CVEs. Does that mean they are more vulnerable? And what about severity? Many reports are low to medium risk and without deeper analysis we c. This is a subject that merits more research. But for now we can be confident Firebird comes out very favourably when compared to its competitors.
For some DB admins it is might be a question of 'another week, another vulnerability'.
But for Firebird - do not expect to see job ads for 'CVE monitor required for Firebird' any time soon.