Our scan tool found new CVE-2025-29087 in sqlite, does it affect “net.zetetic:android-database-sqlcipher:4.5.3”?
Hello @chen_song - yes, net.zetetic:android-database-sqlcipher:4.5.3 is affected by that CVE. However, the impact of the the CVE is relatively limited and only applies if you are using concat_ws() and the attacker can control some of the input to the function. See here for relevant analysis of the CVE scope:
That said, our recommendation would be to upgrade to SQLCipher 4.7 which is based on SQLite 3.49.1 where these issues are resolved.
Note that the Community Edition of android-database-sqlcipher is deprecated and is no longer being updated (i.e. there is no 4.7 release of that library). If you are using Community Edition and decide to upgrade you will either need to move to sqlcipher-android or switch to Commercial Edition for long term support.