CVE-2025-24786
Published: 06 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-24786 is a path traversal vulnerability in WhoDB, an open source database management tool. The issue affects the SQLite3 plugin, where the application constructs database file paths by joining a user-controlled filename with the default directory (/db/ or ./tmp/ in development mode) without validating that the resulting path remains within the intended directory. This lacks prevention against traversal sequences like ../../, enabling access to arbitrary SQLite3 databases on the host system. Affected versions are those prior to 0.45.0.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a malicious database filename in the UI's file selector, the attacker traverses to any readable SQLite3 database file on the host filesystem. Successful exploitation grants high-impact confidentiality and integrity violations (C:H/I:H), such as reading sensitive data or potentially modifying database contents, depending on the tool's operations and file permissions, with a changed scope (S:C). The CVSS v3.1 base score is 10.0.
The GitHub security advisory (GHSA-9r4c-jwx3-3j76) confirms the vulnerability has been addressed in WhoDB version 0.45.0, recommending that all users upgrade immediately. No workarounds are available. Code references highlight the insecure path joining in core/src/plugins/sqlite3/db.go.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing WhoDB app enables remote unauthenticated exploitation of the application (T1190) and direct access to arbitrary local SQLite database files for data collection (T1005).