CVE-2025-24787

Published Feb 6, 2025

Last updated 16 days ago

CVSS high 8.6

Overview

Description
WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. The application uses string concatenation to build database connection URIs which are then passed to corresponding libraries responsible for setting up the database connections. This string concatenation is done unsafely and without escaping or encoding the user input. This allows an user, in many cases, to inject arbitrary parameters into the URI string. These parameters can be potentially dangerous depending on the libraries used. One of these dangerous parameters is `allowAllFiles` in the library `github.com/go-sql-driver/mysql`. Should this be set to `true`, the library enables running the `LOAD DATA LOCAL INFILE` query on any file on the host machine (in this case, the machine that WhoDB is running on). By injecting `&allowAllFiles=true` into the connection URI and connecting to any MySQL server (such as an attacker-controlled one), the attacker is able to read local files. This issue has been addressed in version 0.45.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Source
security-advisories@github.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.6
Impact score
4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-943

Social media

Hype score
Not currently trending

  1. CVE-2025-24786 (CVSS 10) & CVE-2025-24787: Critical WhoDB Vulnerabilities https://t.co/ZRRthkZHFl

    @Dinosn

    10 Feb 2025

    940 Impressions

    0 Retweets

    1 Like

    2 Bookmarks

    0 Replies

    0 Quotes

  2. 🗣 CVE-2025-24786 (CVSS 10) & CVE-2025-24787: Critical WhoDB Vulnerabilities https://t.co/DMpNt6YpM1

    @fridaysecurity

    10 Feb 2025

    24 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  3. CVE-2025-24787 WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allo… https://t.co/Xyn949kFwW

    @CVEnew

    6 Feb 2025

    350 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [CVE-2025-24787: HIGH] WhoDB, an open source database tool, had a cyber security flaw allowing attackers to read local files due to unsafe string concatenation in database connection strings. Upgrade to version 0...#cybersecurity,#vulnerability https://t.co/xGErtQR2Ki https://t.c

    @CveFindCom

    6 Feb 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References