Liquibase Security Update 5.0.2 (CVE-2025-59250)

Applies to

• Liquibase Secure
• Liquibase Open Source (Community)

Overview

This article addresses common questions about the security vulnerability CVE-2025-59250 identified in the Microsoft SQL Server JDBC driver bundled with Liquibase, and the remediation steps available in Liquibase Secure 5.0.2.

For complete vulnerability details, see the official security advisory or the Liquibase Secure 5.0.2 release notes.

Can I fix this vulnerability without upgrading Liquibase?

Yes. While upgrading to Liquibase Secure 5.0.2 is the recommended approach, you can remediate the vulnerability by manually replacing the MSSQL JDBC driver that Liquibase uses.

How to replace the JDBC driver:

1. Locate the mssql-jdbc.jar file in your Liquibase installation directory:
   • liquibase/lib/ directory, or
   • liquibase/internal/lib/ directory
2. Download a patched version of the MSSQL JDBC driver from Microsoft:
   • Microsoft Security Updates page
   • Microsoft JDBC Driver Release Notes
3. Replace the existing mssql-jdbc.jar with the updated driver

Patched driver versions:

Multiple driver versions were patched between v10.2.4 and v13.2.1. Liquibase Secure 5.0.2 ships with mssql-jdbc v12.10.2.jre8.

Important considerations:

• Testing required: Newer JDBC driver versions have not been tested with older Liquibase versions. Please test thoroughly in a non-production environment before deploying.
• Compatibility: While you can use the v12.10.2.jre8 driver shipped with Liquibase Secure 5.0.2, compatibility with older Liquibase versions is not guaranteed.
• Version selection: Choose a patched driver version that aligns with your current setup. Refer to the Microsoft Release Notes page for available patched versions.

Is this security patch available in Liquibase Community (OSS)?

No. The security patches in Liquibase Secure 5.0.2 and 5.0.3 are not available for Liquibase Community (OSS) versions.

Why the difference?

Starting with Liquibase version 5.0, there is a split between Liquibase Secure and Liquibase Community:

• Liquibase Secure receives frequent security patches and updates
• Liquibase Community has a different release cadence and does not receive the same security updates

What are my options?

1. Upgrade to Liquibase Secure - If security patches are critical for your pipelines, consider upgrading to Liquibase Secure to receive timely updates.
2. Manually update the JDBC driver - Follow the workaround steps in the previous question to replace the vulnerable driver in your Community installation.
3. Review feature comparison - See the Liquibase Secure vs. Community comparison page for a detailed breakdown of differences.

How do I verify that I've successfully updated?

Run the following command to check your Liquibase version:

liquibase --version

You should see:

Liquibase Secure Version: 5.0.2

If you manually updated the JDBC driver instead of upgrading Liquibase, verify that the mssql-jdbc.jar file in your installation directory matches the version you downloaded (check the filename or file properties).

Who is affected by this vulnerability?

This vulnerability affects:

• All users of Liquibase OSS & Pro 4.33 and earlier
• All users of Liquibase Secure & Community 5.0.1 and earlier
• Specifically impacts customers using Microsoft SQL Server databases

Note: If you don't use Microsoft SQL Server, the vulnerable component is present in your installation but is not actively used.

What is the severity of this vulnerability?

• CVE ID: CVE-2025-59250 
• CVSS Score: 8.1 (High) 
• Attack Vector: Network-based spoofing attack 
• Risk: Could allow an attacker to intercept SQL credentials through certificate manipulation 
• Required Conditions: Attacker must trick a user into connecting to a malicious server (via DNS poisoning or phishing)

How do I update to Liquibase Secure 5.0.2?