Alan Coopersmith wrote at 00:29 +0000 on Sep 6, 2025: > https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g > was published on August 15 ...
That posting indicates that the affected sqlite versions are in the range [3.49.1 - 3.50.2]. Looking back in git history for sqlite, I see the affected code present back to 3.43.0. It may be I did not look deep enough, but I don't see any rationale for declaring versions less that 3.49.1 unaffected. A question has been posted where GHSA-v2c8-vqqp-hv3g was generated: https://github.com/google/security-research/issues/278 I could not find a reference to CVE-2025-7709 at sqlite.org (in git or elsewhere). So it's not clear how much they agree (or not) with the GHSA-v2c8-vqqp-hv3g advisory. I think the following blurb in sqlite.org release notes (https://sqlite.org/releaselog/3_50_3.html) refers to the issue: ======== Changes in this specific patch release, version 3.50.3 (2025-07-17): 27. Fix a possible memory error that can occur if a query is made against against FTS5 index that has been deliberately corrupted in a very specific way. ======== But that doesn't reference a particular commit nor what range of versions include this error. This is the commit I think: https://www.sqlite.org/src/info/63595b74956a9391f And the commit message says: " Optimize allocation of large tombstone arrays in fts5. " Nothing about this being an overflow of 32 bit values or that it addresses the CVE. If that is the fix for CVE-2025-7709 (as GHSA-v2c8-vqqp-hv3g indicates), then as far as I can see this problem exists back to sqlite 3.43.0
