CVE-2025-24786
Published: 06 February 2025
Summary
CVE-2025-24786 is a critical-severity Path Traversal (CWE-22) vulnerability in Clidey Whodb. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied database filenames to prevent path traversal sequences like ../../ from accessing arbitrary SQLite3 files outside the /db directory.
Enforces logical access controls to ensure the application only permits opening of SQLite3 databases within the intended /db directory, blocking unauthorized file access.
Applies least privilege to the WhoDB process, limiting its ability to read arbitrary SQLite3 databases on the host filesystem even if path traversal occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WhoDB app enables remote unauthenticated exploitation of the application (T1190) and direct access to arbitrary local SQLite database files for data collection (T1005).
NVD Description
WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 database present on…
more
the host machine that the application is running on. Affected versions of WhoDB allow users to connect to Sqlite3 databases. By default, the databases must be present in `/db/` (or alternatively `./tmp/` if development mode is enabled). If no databases are present in the default directory, the UI indicates that the user is unable to open any databases. The database file is an user-controlled value. This value is used in `.Join()` with the default directory, in order to get the full path of the database file to open. No checks are performed whether the database file that is eventually opened actually resides in the default directory `/db`. This allows an attacker to use path traversal (`../../`) in order to open any Sqlite3 database present on the system. This issue has been addressed in version 0.45.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-24786 is a path traversal vulnerability in WhoDB, an open source database management tool. The issue affects the SQLite3 plugin, where the application constructs database file paths by joining a user-controlled filename with the default directory (/db/ or ./tmp/ in development mode) without validating that the resulting path remains within the intended directory. This lacks prevention against traversal sequences like ../../, enabling access to arbitrary SQLite3 databases on the host system. Affected versions are those prior to 0.45.0.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a malicious database filename in the UI's file selector, the attacker traverses to any readable SQLite3 database file on the host filesystem. Successful exploitation grants high-impact confidentiality and integrity violations (C:H/I:H), such as reading sensitive data or potentially modifying database contents, depending on the tool's operations and file permissions, with a changed scope (S:C). The CVSS v3.1 base score is 10.0.
The GitHub security advisory (GHSA-9r4c-jwx3-3j76) confirms the vulnerability has been addressed in WhoDB version 0.45.0, recommending that all users upgrade immediately. No workarounds are available. Code references highlight the insecure path joining in core/src/plugins/sqlite3/db.go.
Details
- CWE(s)