A bug in the Firebird server was found by the Zero Day Initiative (ZDI) program. The bug exploits a weakness in Firebird’s remote protocol.
The official CVE record is published here.
This bug has existed in the code base since InterBase 6 (or earlier.) and all versions of Firebird released prior to 5th May 2025 are affected.
The vulnerability allows remote unauthenticated users to cause a denial of service via a NULL pointer dereference and subsequent crash of the server.
A malicious user can cause a DoS attack on a Firebird server by sending a specific sequence of bytes. It is not necessary to be logged in to the server. To exploit the vulnerability, it is sufficient to have access to the Firebird port.
It should be noted that the Classic server architecture is less vulnerable, inasmuch as existing connections will remain active. However if the attack is sustained no new connections will be possible for the lifetime of the attack, no matter which architecture is used.
It is not known if a proof of concept has been developed. However, once the vulnerability is published one should expect rogue users to develop an attack. With increased access to AI based code generation models the bar to exploit development has been lowered considerably.
The Firebird Project has fixed this bug in the latest releases of all branches currently supported: 5.0.3, 4.0.6 and 3.0.13
While Firebird 2.5 is no longer supported by the Firebird project, it’s still supported by IBPhoenix!
We have produced a special build of Firebird 2.5.9 with this fix. There are no other changes to the source code for this build other than the fix itself. It is intended to be dropped in to an existing setup. Users can be confident that only minimal acceptance testing will be required.
You can get both 64-bit and 32-bit builds for Windows from our store for whatever price you see fair for our effort (including for free).
