{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/information-leak/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.9,"id":"CVE-2025-65104"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2025-65104","information-leak","firebird"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-65104 describes an information leak vulnerability affecting the Firebird open-source relational database management system. The vulnerability exists within the FB3 versions of the client library. When an FB3 client communicates with a Firebird FB4 or higher server, the client library incorrectly places data length values into the XSQLDA (SQL Data Area) fields. This incorrect handling of data lengths can result in an information leak, potentially exposing sensitive data to an attacker with local access. The vulnerability was reported in April 2026. The recommended solution is to upgrade the client library to FB4 or a later version. This vulnerability is significant because it could allow unauthorized access to sensitive information stored within the Firebird database.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to a system with a Firebird FB3 client library installed.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a Firebird FB4 or higher server to target.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL query or uses an existing application to interact with the server.\u003c/li\u003e\n\u003cli\u003eThe FB3 client library processes the query and prepares the XSQLDA structure.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the FB3 client library places incorrect data length values into the XSQLDA fields.\u003c/li\u003e\n\u003cli\u003eThe server responds with data, and the client uses the incorrect length values to interpret the response.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the incorrect data length values to extract more data than intended, leading to an information leak.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the leaked information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-65104 results in an information leak. An attacker with local access can potentially extract sensitive data from a Firebird database server. While the exact impact depends on the data stored, it could include user credentials, financial data, or other confidential information. This could lead to further compromise of systems and data. The vulnerability exists because of incorrect data length calculations when FB3 clients communicate with FB4+ servers, which highlights the importance of maintaining up-to-date client libraries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all Firebird client libraries to version FB4 or higher to remediate CVE-2025-65104 as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eMonitor network connections and process creations involving \u003ccode\u003efbclient.dll\u003c/code\u003e or \u003ccode\u003elibfbclient.so\u003c/code\u003e (depending on the OS) to detect suspicious activity related to Firebird database interactions.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect suspicious process execution related to Firebird clients.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T18:16:30Z","date_published":"2026-04-17T18:16:30Z","id":"/briefs/2026-04-firebird-xsqlda-leak/","summary":"Firebird FB3 client library incorrectly handles data lengths when communicating with FB4+ servers, leading to an information leak exploitable by a local attacker.","title":"Firebird FB3 Client Library Information Leak (CVE-2025-65104)","url":"https://feed.craftedsignal.io/briefs/2026-04-firebird-xsqlda-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Information-Leak","version":"https://jsonfeed.org/version/1.1"}