HOME > Support
Support

Notice Regarding SQLite Vulnerability (CVE-2025-6965) in Curl RTE

Thank you for using our products and services. This notice provides information about the recently disclosed SQLite vulnerability (CVE-2025-6965) and its relevance to Curl products.

Vulnerability Overview (CVE-2025-6965)

Affected VersionsAll SQLite versions prior to 3.50.2
SeverityCVSS Score 7.2 (High)
Referencehttps://www.cve.org/CVERecord?id=CVE-2025-6965

Summary

When the number of aggregate functions (SUM, AVG, COUNT, etc.) exceeds the number of table columns, internal inconsistencies may occur, potentially leading to:

  • Numeric truncation (CWE-197)
  • Memory corruption leading to abnormal termination

Example of SQL That Triggers the Issue

-- Columns: 1
CREATE TABLE sales (
  amount INTEGER
);
-- Aggregate items: 5 (exceeds column count)
SELECT SUM(amount), AVG(amount), MIN(amount), MAX(amount), COUNT(amount)
FROM sales;

Impact on Curl RTE

Conclusion: Curl RTE itself is not affected by this vulnerability.

Curl RTE does not internally use SQLite. It only provides API functions for Curl applications to use SQLite, meaning actual usage occurs on the application side.

Behavior When Vulnerability is Triggered

The following exception may occur:

"A non-null value is required at this location (0x5CCE8F24), but null was provided."

Potentially Affected Curl Applications

An application may be affected if all of the following conditions are met:

  1. The Curl application uses Curl RTE 8.0.15 or earlier
  2. It uses Curl RTE's SQLite API
  3. It may execute SQL where aggregate items exceed table column count
  4. It dynamically generates SQL including external inputs
  5. The application could be exploited by an attacker

Recommended Actions

Immediate Actions

  • Review SQL execution paths to ensure aggregate items do not exceed column counts
  • Use parameterized queries when SQL includes external inputs

Permanent Actions

  • Updating to SQLite 3.50.2 or later is in progress, and support will be provided in Curl RTE 8.0.16 or later. Contact our support center regarding update schedules or methods.

Summary

  • Curl RTE itself is unaffected because it does not internally use SQLite
  • Impact depends on how each Curl application uses the SQLite API
  • If your application matches the above conditions, review your SQL implementation

If you have any questions, please contact our support team.