CVE-2025-24786
Published: 06 February 2025
Summary
CVE-2025-24786 is a critical-severity Path Traversal (CWE-22) vulnerability in Clidey Whodb. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
WhoDB is an open source database management tool that is affected by a path traversal vulnerability when handling SQLite3 database connections. The application intends to restrict access to SQLite3 files present only in the /db directory (or ./tmp/ in development mode), but the user-controlled database filename is joined directly to this path without any traversal checks or validation that the resulting file resides in the allowed directory. This flaw, tracked as CVE-2025-24786 and assigned CWE-22 and CWE-35, permits opening arbitrary SQLite3 databases anywhere on the host filesystem.
An unauthenticated remote attacker can supply a crafted filename containing path traversal sequences such as ../../ to open any SQLite3 database present on the system. Successful exploitation grants the attacker full read and write access to the contents of those databases, resulting in high impact to confidentiality and integrity with changed scope, as reflected in the CVSS 10.0 score.
The official GitHub Security Advisory states that the issue is resolved in WhoDB version 0.45.0, and all users are advised to upgrade immediately because no workarounds are known. The EPSS score has remained flat at its peak value of 0.5182 since disclosure, with no indicated rise in exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3946
Vulnerability details
WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 database present on…
more
the host machine that the application is running on. Affected versions of WhoDB allow users to connect to Sqlite3 databases. By default, the databases must be present in `/db/` (or alternatively `./tmp/` if development mode is enabled). If no databases are present in the default directory, the UI indicates that the user is unable to open any databases. The database file is an user-controlled value. This value is used in `.Join()` with the default directory, in order to get the full path of the database file to open. No checks are performed whether the database file that is eventually opened actually resides in the default directory `/db`. This allows an attacker to use path traversal (`../../`) in order to open any Sqlite3 database present on the system. This issue has been addressed in version 0.45.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WhoDB app enables remote unauthenticated exploitation of the application (T1190) and direct access to arbitrary local SQLite database files for data collection (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-supplied database filenames to prevent path traversal sequences like ../../ from accessing arbitrary SQLite3 files outside the /db directory.
Enforces logical access controls to ensure the application only permits opening of SQLite3 databases within the intended /db directory, blocking unauthorized file access.
Applies least privilege to the WhoDB process, limiting its ability to read arbitrary SQLite3 databases on the host filesystem even if path traversal occurs.