CVE-2025-0745
Published: 30 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0745 is an Improper Access Control vulnerability (CWE-284) affecting EmbedAI versions 2.1 and below. Published on 2025-01-30, it enables access to database backups via the "/embedai/app/uploads/database/<SQL_FILE>" endpoint. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, no privileges or user interaction required, and unchanged scope.
An authenticated attacker can exploit this vulnerability by directly requesting the vulnerable endpoint, allowing them to obtain sensitive database backups. This exposure could reveal critical data stored in the database, such as user information or application configurations, depending on the contents of the SQL files.
The INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai provides details on this and other vulnerabilities in EmbedAI, including recommendations for mitigation. Security practitioners should consult the advisory for patching instructions and workarounds specific to affected deployments.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- EmbedAI is a tool for creating chatbots, which aligns with Enterprise AI Assistants as it provides a platform for building and deploying AI-powered conversational agents.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The improper access control vulnerability in the web application enables exploitation of a public-facing application (T1190) and unauthorized collection of sensitive data from database backups (T1213.006).