€0+
A bug in the Firebird server was found by the Zero Day Initiative (ZDI) program. The bug exploits a weakness in Firebird’s remote protocol.
The official CVE record is published here.
This bug has existed in the code base since InterBase 6 (or earlier.)
All versions of Firebird released prior to 5th May 2025 are affected.
The vulnerability allows remote unauthenticated users to cause a denial of service via a NULL pointer dereference and subsequent crash of the server.
A malicious user can cause a DoS attack on a Firebird server by sending a specific sequence of bytes. It is not necessary to be logged in to the server. To exploit the vulnerability, it is sufficient to have access to the Firebird port.
It should be noted that the Classic server architecture is less vulnerable, inasmuch as existing connections will remain active. However if the attack is sustained no new connections will be possible for the lifetime of the attack, no matter which architecture is used.
It is not known if a proof of concept has been developed. However, once the vulnerability is published one should expect rogue users to develop an attack. With increased access to AI based code generation models the bar to exploit development has been lowered considerably.
This is not a 'drop what you are doing and fix it now' bug. The CVE rates its severity at medium with a CVSS score of 5.3. Fully secure internal networks are unlikely to be affected.
However three groups of Firebird users are vulnerable: