CVE-2025-24787 – WhoDB versions before 0.45.0 are vulnerable to ... (How to Fix)

Q: What is the severity of CVE-2025-24787?

CVE-2025-24787 has a CVSS score of 8.6 (HIGH). WhoDB versions before 0.45.0 are vulnerable to parameter injection in database connection strings, allowing attackers to read local files on the host machine. This occurs when user input is unsafely concatenated into connection URIs without proper escaping. Attackers can exploit this by injecting 'allowAllFiles=true' into MySQL connection strings to read arbitrary files via LOAD DATA LOCAL INFILE queries.

📋 TL;DR

WhoDB versions before 0.45.0 are vulnerable to parameter injection in database connection strings, allowing attackers to read local files on the host machine. This occurs when user input is unsafely concatenated into connection URIs without proper escaping. Attackers can exploit this by injecting 'allowAllFiles=true' into MySQL connection strings to read arbitrary files via LOAD DATA LOCAL INFILE queries.

💻 Affected Systems

Products:

WhoDB

Versions: All versions before 0.45.0

Operating Systems: All operating systems running WhoDB

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when using MySQL database connections with the go-sql-driver/mysql library. Other database drivers may have similar issues.

📦 What is this software?

Whodb by Clidey

View all CVEs affecting Whodb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of sensitive files on the host system including configuration files, credentials, and sensitive data, potentially leading to full system compromise.

🟠

Likely Case

Exfiltration of database credentials, configuration files, and other sensitive local files accessible to the WhoDB process.

🟢

If Mitigated

Limited impact if network access is restricted and file permissions are properly configured, though the vulnerability still exists.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly accessible to attackers who can exploit this without authentication.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the attacker to control or have access to a MySQL server that the vulnerable WhoDB instance can connect to.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.45.0

Vendor Advisory: https://github.com/clidey/whodb/security/advisories/GHSA-c7w4-9wv8-7x7c

Restart Required: No

Instructions:

1. Stop the WhoDB service. 2. Backup configuration and data. 3. Upgrade to version 0.45.0 or later. 4. Restart the WhoDB service.

🔧 Temporary Workarounds

No official workarounds

all

The vendor states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

Restrict network access to WhoDB instances to only trusted sources using firewall rules.
Implement strict file system permissions to limit what files the WhoDB process can access.

🔍 How to Verify

Check if Vulnerable:

Check the WhoDB version. If it's below 0.45.0, the system is vulnerable.

Check Version:

Check the WhoDB application version in the UI or configuration files, or run the WhoDB binary with --version flag if available.

Verify Fix Applied:

Verify the WhoDB version is 0.45.0 or higher after upgrade.

📡 Detection & Monitoring

Log Indicators:

Unusual database connection attempts with modified connection strings
LOAD DATA LOCAL INFILE queries in MySQL logs
Failed connection attempts with malformed URIs

Network Indicators:

Outbound connections from WhoDB to untrusted MySQL servers
Unusual data transfers from WhoDB host to external MySQL servers

SIEM Query:

source="whodb" AND (event="connection_error" OR event="database_error") AND message CONTAINS "allowAllFiles"

📊 Metadata

CVE ID: CVE-2025-24787

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-943

EPSS Score: 0.24% exploit probability (47.3th percentile)

Published: February 6, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/clidey/whodb/security/advisories/GHSA-c7w4-9wv8-7x7c Vendor Advisory
https://github.com/go-sql-driver/mysql/blob/7403860363ca112af503b4612568c3096fecb466/infile.go#L128 Product
https://github.com/clidey/whodb/security/advisories/GHSA-c7w4-9wv8-7x7c Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24787, you might also want to check these: