CVE-2025-69285
📋 TL;DR
SQLBot versions before 1.5.0 have an authentication bypass vulnerability in the /api/v1/datasource/uploadExcel endpoint. Unauthenticated attackers can upload arbitrary Excel/CSV files that get directly inserted into the PostgreSQL database, potentially corrupting or manipulating data. All SQLBot deployments using affected versions are vulnerable.
💻 Affected Systems
- SQLBot
📦 What is this software?
Sqlbot by Fit2cloud
⚠️ Risk & Real-World Impact
Worst Case
Complete database corruption or takeover through malicious data injection, data loss via 'replace' mode overwriting existing tables, and potential privilege escalation if database credentials are compromised.
Likely Case
Data manipulation or corruption through unauthorized file uploads, disruption of SQLBot functionality, and potential data integrity issues affecting downstream applications.
If Mitigated
No impact if endpoint is properly authenticated or removed from whitelist, with normal file upload functionality preserved for authorized users.
🎯 Exploit Status
Simple HTTP POST request with Excel/CSV file to vulnerable endpoint, no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.0
Vendor Advisory: https://github.com/dataease/SQLBot/security/advisories/GHSA-crfm-cch4-hjpv
Restart Required: Yes
Instructions:
1. Backup current SQLBot configuration and data. 2. Stop SQLBot service. 3. Update to version 1.5.0 from GitHub releases. 4. Restart SQLBot service. 5. Verify endpoint now requires authentication.
🔧 Temporary Workarounds
Remove endpoint from whitelist
allManually modify authentication configuration to remove /api/v1/datasource/uploadExcel from authentication whitelist
Edit SQLBot configuration file to remove endpoint from auth_whitelist array
Network access control
linuxRestrict network access to SQLBot upload endpoint using firewall rules
iptables -A INPUT -p tcp --dport [SQLBot_PORT] -m string --string "/api/v1/datasource/uploadExcel" --algo bm -j DROP
🧯 If You Can't Patch
- Implement network segmentation to restrict access to SQLBot instance
- Deploy web application firewall with rules to block unauthenticated upload requests to vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Attempt unauthenticated POST request to /api/v1/datasource/uploadExcel endpoint with test Excel fileCheck Version:
Check SQLBot version in web interface or via API endpoint /api/v1/versionVerify Fix Applied:
Verify unauthenticated requests to /api/v1/datasource/uploadExcel return 401/403 error📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to /api/v1/datasource/uploadExcel
- Database errors from unexpected table replacements
- Unusual file upload activity from unauthenticated IPs
Network Indicators:
- HTTP POST requests to uploadExcel endpoint without authentication headers
- Unusual traffic patterns to SQLBot upload endpoint
SIEM Query:
source="sqlbot.log" AND (uri="/api/v1/datasource/uploadExcel" AND NOT auth_token=*)