CVE-2025-24787
published 2025-02-06CVE-2025-24787: WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.53%
40.5th percentile
WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. The application uses string concatenation to build database connection URIs which are then passed to corresponding libraries responsible for setting up the database connections. This string concatenation is done unsafely and without escaping or encoding the user input. This allows an user, in many cases, to inject arbitrary parameters into the URI string. These parameters can be potentially dangerous depending on the libraries used. One of these dangerous parameters is `allowAllFiles` in the library `github.com/go-sql-driver/mysql`. Should this be set to `true`, the library enables running the `LOAD DATA LOCAL INFILE` query on any file on the host machine (in this case, the machine that WhoDB is running on). By injecting `&allowAllFiles=true` into the connection URI and connecting to any MySQL server (such as an attacker-controlled one), the attacker is able to read local files. This issue has been addressed in version 0.45.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| clidey | whodb | < 0.45.0 | 0.45.0 |
| github.com | clidey_whodb_core | >= 0 < 0.0.0-20250127202645-8d67b767e005 | 0.0.0-20250127202645-8d67b767e005 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_gcc_11.2.0-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.17.13-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.22.3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_msrc6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
WhoDB allows parameter injection in DB connection URIs leading to local file inclusion in github.com/clidey/whodb/core
osv·2025-02-07
CVE-2025-24787 WhoDB allows parameter injection in DB connection URIs leading to local file inclusion in github.com/clidey/whodb/core
WhoDB allows parameter injection in DB connection URIs leading to local file inclusion in github.com/clidey/whodb/core
WhoDB allows parameter injection in DB connection URIs leading to local file inclusion in github.com/clidey/whodb/core
OSV
WhoDB allows parameter injection in DB connection URIs leading to local file inclusion
osv·2025-02-06
CVE-2025-24787 [HIGH] WhoDB allows parameter injection in DB connection URIs leading to local file inclusion
WhoDB allows parameter injection in DB connection URIs leading to local file inclusion
### Summary
The application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on.
### Details
The application uses string concatenation to build database connection URIs which are then passed to corresponding libraries responsible for setting up the database connections.
This string concatenation is done unsafely and without escaping or encoding the user input. This allows an user, in many cases, to inject arbitrary parameters into the URI string. These parameters can be potentially dangerous depending on the libraries used.
One of these dangerous parameters is `allowAllFiles` in the library `g
GHSA
WhoDB allows parameter injection in DB connection URIs leading to local file inclusion
ghsa·2025-02-06
CVE-2025-24787 [HIGH] CWE-943 WhoDB allows parameter injection in DB connection URIs leading to local file inclusion
WhoDB allows parameter injection in DB connection URIs leading to local file inclusion
### Summary
The application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on.
### Details
The application uses string concatenation to build database connection URIs which are then passed to corresponding libraries responsible for setting up the database connections.
This string concatenation is done unsafely and without escaping or encoding the user input. This allows an user, in many cases, to inject arbitrary parameters into the URI string. These parameters can be potentially dangerous depending on the libraries used.
One of these dangerous parameters is `allowAllFiles` in the library `g
Microsoft
Arbitrary code execution during build on Darwin in cmd/go
vendor_msrc·2024-05-14·CVSS 6.4
CVE-2024-24787 [MEDIUM] Arbitrary code execution during build on Darwin in cmd/go
Arbitrary code execution during build on Darwin in cmd/go
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.mic
No detection rules found.
No public exploits indexed.
Wiz
What Is Database Security? An Overview and Best Practices | Wiz
blogs_wiz·2025-09-25
What Is Database Security? An Overview and Best Practices | Wiz
## What is database security?
Database security is the process of identifying, assessing, and mitigating security risks that can compromise the confidentiality, integrity, and availability of data. As enterprises accumulate more data, this critical asset has become the backbone of business, powering business decisions, helping identify user behavior—and attracting bad actors.
Hackers are increasingly targeting databases through vulnerabilities, misconfigurations, and social engineering. Database security addresses these threats through a comprehensive strategy that goes beyond setting passwords or installing firewalls.
Below, you'll explore modern database security best practices and learn about database hardening techniques. By the end of this guide, you'll be able to take actionable s
Wiz
What Is Database Security? An Overview and Best Practices | Wiz
blogs_wiz·2025-09-25
What Is Database Security? An Overview and Best Practices | Wiz
## What is database security?
Database security is the process of identifying, assessing, and mitigating security risks that can compromise the confidentiality, integrity, and availability of data. As enterprises accumulate more data, this critical asset has become the backbone of business, powering business decisions, helping identify user behavior—and attracting bad actors.
Hackers are increasingly targeting databases through vulnerabilities, misconfigurations, and social engineering. Database security addresses these threats through a comprehensive strategy that goes beyond setting passwords or installing firewalls.
Below, you'll explore modern database security best practices and learn about database hardening techniques. By the end of this guide, you'll be able to take actionable s
2025-02-06
Published