CVE-2025-24975 is a high-severity vulnerability affecting FirebirdSQL, a widely used open-source relational database management system. The vulnerability arises from improper checks for unusual or exceptional conditions (CWE-754) related to the external connection pool feature (ExtConnPool). Specifically, when ExtConnPoolSize is set to a non-zero value, the Firebird server does not adequately verify the presence and suitability of the CryptCallback interface during connection creation. This flaw can lead to segmentation faults (segfaults) in the server process. The vulnerability affects both encrypted and unencrypted databases. For encrypted databases, an attacker might exploit the issue to access databases without possessing the required encryption key, particularly when execute statements on external databases are chained. The segfaults caused by this vulnerability can result in denial of service conditions, potentially disrupting database availability. The issue is present in Firebird versions prior to snapshot releases 4.0.6.3183, 5.0.2.1610, and 6.0.0.609. Firebird has patched this vulnerability in these snapshot and subsequent point releases. A temporary mitigation involves setting ExtConnPoolSize to 0 in the firebird.conf configuration file, effectively disabling the external connection pool feature and preventing exploitation. The CVSS 3.1 base score is 7.1, reflecting high severity with network attack vector, high complexity, low privileges required, no user interaction, and high impact on confidentiality and integrity with low impact on availability.

For European organizations relying on FirebirdSQL databases, this vulnerability poses significant risks. The potential unauthorized access to encrypted databases without keys threatens confidentiality of sensitive data, including personal data protected under GDPR. Segfaults causing server crashes can lead to denial of service, impacting business continuity and availability of critical applications. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that use FirebirdSQL could face operational disruptions and data breaches. The requirement for low privileges but no user interaction means attackers could exploit this remotely if the database is exposed or accessible within internal networks. The chaining of execute statements on external databases increases the attack surface in complex database environments. Failure to patch or apply mitigations could result in data leakage, service outages, and regulatory non-compliance with potential fines and reputational damage.

1. Immediately upgrade FirebirdSQL to versions 4.0.6.3183, 5.0.2.1610, 6.0.0.609 or later where the vulnerability is patched. 2. As an interim workaround, set ExtConnPoolSize=0 in firebird.conf to disable the external connection pool feature, preventing the vulnerability from being triggered. 3. Audit database configurations and usage of execute statements on external databases to minimize complex chaining that could be exploited. 4. Restrict network exposure of FirebirdSQL servers to trusted internal networks and implement strict access controls to limit potential attackers. 5. Monitor FirebirdSQL server logs for unusual crashes or segfaults that could indicate exploitation attempts. 6. Conduct a thorough review of encrypted database access controls and cryptographic key management to ensure no unauthorized access is possible. 7. Incorporate this vulnerability into incident response plans and ensure rapid patch deployment processes are in place for database infrastructure.