CVE-2025-24975 Overview
CVE-2025-24975 is a high-severity flaw in Firebird, an open-source relational database management system. The vulnerability exists in versions prior to snapshot releases 4.0.6.3183, 5.0.2.1610, and 6.0.0.609. When ExtConnPoolSize is not set to 0, Firebird fails to verify whether pooled external connections still match the required CryptCallback interface. This mismatch triggers a segmentation fault in the server process. The flaw also enables unauthorized access to encrypted databases through chained EXECUTE STATEMENT ON EXTERNAL calls, where a later attachment may reuse cached state without providing the encryption key.
Critical Impact
An authenticated attacker can crash the Firebird server process and access encrypted databases without supplying the corresponding key, breaking confidentiality and availability guarantees.
Affected Products
- Firebird versions prior to 4.0.6.3183
- Firebird versions prior to 5.0.2.1610
- Firebird versions prior to 6.0.0.609
Discovery Timeline
- 2025-08-15 - CVE-2025-24975 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-24975
Vulnerability Analysis
The flaw resides in the external connection pool (ExtConnPool) subsystem used by EXECUTE STATEMENT ON EXTERNAL DATA SOURCE. Firebird caches outbound connections to remote or external databases to reduce reconnection overhead. The cached connections retain authentication and cryptographic context from the original session. When a subsequent attachment requests an external connection, the server returns a pooled entry without re-validating that the current session provides the CryptCallback interface required for that connection.
This improper check leads to two distinct failure modes. First, the server process dereferences a missing or incompatible CryptCallback and crashes with a segfault. Second, a session that lacks the encryption key for an encrypted database can attach to that database through a reused pool entry. The classification maps to [CWE-754] Improper Check for Unusual or Exceptional Conditions.
Root Cause
The root cause is the absence of a suitability check on pooled external connections. The pool manager treats any cached connection as reusable, ignoring whether the requesting attachment supplies the CryptCallback originally used to open the encrypted target. Chained EXECUTE STATEMENT calls amplify the issue by introducing additional state transitions that the pool does not reconcile, leading to crashes that also affect unencrypted databases.
Attack Vector
The attack is network-reachable and requires low-privilege authenticated access to a Firebird instance with ExtConnPoolSize greater than 0. An attacker issues a sequence of EXECUTE STATEMENT ON EXTERNAL queries against an encrypted database, then opens a new attachment that omits the CryptCallback. The reused pool entry either grants access without the key or triggers a segfault that disrupts service for all clients connected to the server.
No public proof-of-concept or exploit code is available. See the Firebird Security Advisory GHSA-fx9r-rj68-7p69 for vendor-confirmed technical details.
Detection Methods for CVE-2025-24975
Indicators of Compromise
- Unexpected firebird or fbserver process crashes recorded as segmentation faults in firebird.log or system journals.
- Successful attachments to encrypted databases from sessions that did not negotiate a CryptCallback.
- Spikes in EXECUTE STATEMENT ON EXTERNAL DATA SOURCE activity originating from a single authenticated user.
Detection Strategies
- Inspect firebird.conf across hosts and flag instances where ExtConnPoolSize is greater than 0 on versions earlier than 4.0.6.3183, 5.0.2.1610, or 6.0.0.609.
- Correlate Firebird trace logs with operating system crash reports to identify repeated segfaults tied to external statement execution.
- Audit Firebird trace API output for attachments that access encrypted databases without presenting key material.
Monitoring Recommendations
- Forward Firebird server logs and host crash telemetry to a centralized analytics platform for correlation across instances.
- Alert on restart loops of the Firebird service, which often follow segfault conditions triggered by this flaw.
- Track query patterns that chain multiple EXECUTE STATEMENT ON EXTERNAL calls within a single session.
How to Mitigate CVE-2025-24975
Immediate Actions Required
- Upgrade Firebird to snapshot 4.0.6.3183, 5.0.2.1610, or 6.0.0.609, or to point releases 4.0.6 and 5.0.2.
- Inventory all Firebird deployments and prioritize internet-exposed or multi-tenant instances for patching first.
- Restrict database user accounts that can issue EXECUTE STATEMENT ON EXTERNAL DATA SOURCE to trusted operators only.
Patch Information
The Firebird project addressed the issue in commit 658abd20449f72097fbbce57e8e6ae42ff837fb6, which adds verification of the CryptCallback interface before reusing a pooled external connection. Fixed builds are published as snapshots 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, and as point releases 4.0.6 and 5.0.2. Refer to the GitHub Security Advisory GHSA-fx9r-rj68-7p69 for release artifacts.
Workarounds
- Set ExtConnPoolSize = 0 in firebird.conf to disable the external connection pool until patching completes.
- Restart the Firebird service after configuration changes to ensure the new value is loaded.
- Block network access to Firebird ports from untrusted networks while remediation is in progress.
# Configuration example - firebird.conf
ExtConnPoolSize = 0
# Restart the Firebird service to apply
sudo systemctl restart firebird
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

