SQLitePCLRaw.lib.e_sqlite3 Has a Vulnerable Dependency on SQLite (CVE-2025-6965)
Environment
| Product | Progress® Telerik® Reporting |
| Version | 20.1.26.615 and earlier |
Description
After running a dependency audit or reviewing GitHub Dependabot alerts, the project reports a high-severity vulnerability (CVE-2025-6965) in SQLitePCLRaw.lib.e_sqlite3 version 2.1.11 or earlier. The vulnerability originates in SQLite versions before 3.50.2.
The dependency chain in a Telerik Reporting project looks like this:
[net10.0]
├── Telerik.Reporting (v20.1.26.615)
│ └── SQLitePCLRaw.bundle_green (v2.1.11)
│ └── SQLitePCLRaw.lib.e_sqlite3 (v2.1.11)For additional context, Telerik Reporting uses SQLite as a persistent disk cache for the Map report item. When a report containing a Map is rendered, the reporting engine downloads map tile images and geocoding results from external web services, and SQLite stores those results on disk so that subsequent renders can skip the web requests.
Cause
The SQLitePCLRaw.bundle_green package (version 2.1.11) bundles a native SQLite library at version 3.49.1, which is affected by CVE-2025-6965. At the time of writing, there is no patched version of SQLitePCLRaw.lib.e_sqlite3 available from the package maintainers.
Solution
A fix that addresses this dependency at the Telerik Reporting level is planned for an upcoming release. When it becomes available, the official solution is to update Telerik Reporting to anything greater than version 20.1.26.615.
Workaround
In the meantime, the vulnerability can be mitigated by installing the SourceGear.sqlite3 package, version 3.50.4.5, which supplies a newer native SQLite binary (3.50.4) that replaces the vulnerable one at runtime.
Add the following package reference to your project file:
<PackageReference Include="SourceGear.sqlite3" Version="3.50.4.5" />This bumps the native SQLite version to 3.50.4, which resolves the underlying memory corruption issue. The SQLitePCLRaw.lib.e_sqlite3 package reference will still appear in the dependency graph, but the actual native binary used at runtime will be the patched version supplied by SourceGear.sqlite3.
After adding the package, rebuild and render a report, then check the application logs. During report rendering, Telerik Reporting logs the loaded SQLite native version. Use the following as an example of the expected trace:
textSampleApp Information: 0 : *** ReportProcessor.ProcessReport STARTED *** SampleApp Information: 0 : SQLite x64: v3050004The key line is
SQLite x64: v3050004, which corresponds to SQLite3.50.4.