CVE-2025-5878 is a medium severity vulnerability found in the ESAPI (Enterprise Security API) esapi-java-legacy library, specifically affecting the Encoder.encodeForSQL interface used for SQL Injection defense. The vulnerability arises from improper neutralization of special elements within SQL queries, which can lead to SQL Injection attacks. This flaw allows an attacker to remotely exploit the system without requiring authentication or user interaction, potentially manipulating SQL queries to access, modify, or delete sensitive data. The vulnerability affects a broad range of esapi-java-legacy versions from 2.0-rc10 through 2.6.2.0. The issue was responsibly disclosed and addressed by the ESAPI project, which released version 2.7.0.0 that disables the vulnerable feature by default and issues warnings if it is used. Additionally, documentation was updated to clarify the risks associated with the affected interface. The CVSS 4.0 score of 6.9 reflects a medium severity, indicating a network-exploitable vulnerability with low complexity and no required privileges or user interaction, but with limited impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the public disclosure and availability of patches necessitate prompt remediation.

For European organizations, this vulnerability poses a significant risk especially to those relying on legacy Java applications that utilize the esapi-java-legacy library for SQL Injection defense. Exploitation could lead to unauthorized data access or manipulation, potentially compromising sensitive personal data protected under GDPR, intellectual property, or critical business information. The remote and unauthenticated nature of the exploit increases the risk of automated attacks and widespread exploitation. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, which often use Java-based enterprise applications, could face data breaches, regulatory penalties, and reputational damage. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise or widespread denial of service, but the risk to data integrity and confidentiality remains substantial.

European organizations should immediately inventory their software to identify usage of the esapi-java-legacy library within affected versions. The primary mitigation is to upgrade to ESAPI version 2.7.0.0 or later, which disables the vulnerable encodeForSQL feature by default and provides warnings to prevent misuse. If immediate upgrading is not feasible, organizations should audit and refactor code to avoid using the Encoder.encodeForSQL interface altogether. Implementing additional layers of defense such as parameterized queries or prepared statements can further reduce SQL Injection risks. Security teams should also monitor network traffic and logs for unusual SQL query patterns indicative of exploitation attempts. Regularly updating Java dependencies and integrating security testing into the development lifecycle will help prevent similar vulnerabilities. Finally, educating developers about secure coding practices and the limitations of legacy security libraries is critical to long-term risk reduction.