CVE-2025-24787
Published: 06 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-24787 affects WhoDB, an open source database management tool, in versions prior to 0.45.0. The vulnerability stems from unsafe string concatenation when building database connection URIs, without properly escaping or encoding user input. This enables parameter injection into the URI, particularly dangerous when using the github.com/go-sql-driver/mysql library, where parameters like allowAllFiles=true can be injected to enable execution of LOAD DATA LOCAL INFILE queries on arbitrary local files.
Any unauthenticated network attacker (PR:N) with the ability to supply input influencing the database connection string can exploit this issue. By injecting &allowAllFiles=true into the URI and connecting to any MySQL server—including one controlled by the attacker—the exploiter can read arbitrary files on the host machine running WhoDB. The CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) reflects high confidentiality impact with changed scope, stemming from CWE-943 (improper neutralization of special elements in data query logic).
The GitHub security advisory (GHSA-c7w4-9wv8-7x7c) confirms the issue has been fixed in WhoDB version 0.45.0, urging all users to upgrade immediately. No workarounds are available.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WhoDB enables unauthenticated network exploitation (T1190) leading to arbitrary local file reads via injected MySQL connection parameters (T1005).