Cyber Resilience

CVE-2025-24786

CriticalPublic PoC

Published: 06 February 2025

Published
06 February 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.5182 98.0th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24786 is a critical-severity Path Traversal (CWE-22) vulnerability in Clidey Whodb. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

WhoDB is an open source database management tool that is affected by a path traversal vulnerability when handling SQLite3 database connections. The application intends to restrict access to SQLite3 files present only in the /db directory (or ./tmp/ in development mode), but the user-controlled database filename is joined directly to this path without any traversal checks or validation that the resulting file resides in the allowed directory. This flaw, tracked as CVE-2025-24786 and assigned CWE-22 and CWE-35, permits opening arbitrary SQLite3 databases anywhere on the host filesystem.

An unauthenticated remote attacker can supply a crafted filename containing path traversal sequences such as ../../ to open any SQLite3 database present on the system. Successful exploitation grants the attacker full read and write access to the contents of those databases, resulting in high impact to confidentiality and integrity with changed scope, as reflected in the CVSS 10.0 score.

The official GitHub Security Advisory states that the issue is resolved in WhoDB version 0.45.0, and all users are advised to upgrade immediately because no workarounds are known. The EPSS score has remained flat at its peak value of 0.5182 since disclosure, with no indicated rise in exploitation interest.

EU & UK References

Vulnerability details

WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 database present on…

more

the host machine that the application is running on. Affected versions of WhoDB allow users to connect to Sqlite3 databases. By default, the databases must be present in `/db/` (or alternatively `./tmp/` if development mode is enabled). If no databases are present in the default directory, the UI indicates that the user is unable to open any databases. The database file is an user-controlled value. This value is used in `.Join()` with the default directory, in order to get the full path of the database file to open. No checks are performed whether the database file that is eventually opened actually resides in the default directory `/db`. This allows an attacker to use path traversal (`../../`) in order to open any Sqlite3 database present on the system. This issue has been addressed in version 0.45.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing WhoDB app enables remote unauthenticated exploitation of the application (T1190) and direct access to arbitrary local SQLite database files for data collection (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24787Same product: Clidey Whodb
CVE-2025-22205Shared CWE-22, CWE-35
CVE-2025-27222Shared CWE-22, CWE-35
CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-25397Shared CWE-35
CVE-2025-25122Shared CWE-35

Affected Assets

clidey
whodb
≤ 0.45.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-supplied database filenames to prevent path traversal sequences like ../../ from accessing arbitrary SQLite3 files outside the /db directory.

prevent

Enforces logical access controls to ensure the application only permits opening of SQLite3 databases within the intended /db directory, blocking unauthorized file access.

prevent

Applies least privilege to the WhoDB process, limiting its ability to read arbitrary SQLite3 databases on the host filesystem even if path traversal occurs.

References