CVE-2025-24786 (CVSS 10) & CVE-2025-24787: Critical WhoDB Vulnerabilities

The widely used database management tool WhoDB has been found to contain two critical security vulnerabilities—a path traversal flaw (CVE-2025-24786, CVSS 10.0) and a parameter injection issue (CVE-2025-24787, CVSS 8.6)—both of which could allow attackers to gain unauthorized access to sensitive data and system files.

WhoDB, built in GoLang, is designed for streamlined database administration, offering interactive schema visualization and inline editing. However, these newly disclosed flaws pose a severe risk to any system running vulnerable versions (<= 0.45.0).

CVE-2025-24786: Path Traversal Vulnerability (CVSS 10)

This critical vulnerability stems from a lack of path traversal prevention when opening SQLite3 databases. While WhoDB is designed to only display SQLite3 databases within a specific directory, an attacker can exploit this flaw to open any SQLite3 database on the host machine.

“This allows an unauthenticated attacker to open any SQLite3 database present on the host machine that the application is running on.” Attackers can leverage path traversal techniques (e.g., using “../../” in file paths) to navigate outside the intended directory and access sensitive database files. This could lead to the exposure of confidential data, modification of critical information, and potential disruption of services.

CVE-2025-24787: Parameter Injection Vulnerability (CVSS 8.6)

The second vulnerability involves parameter injection in database connection strings, enabling attackers to read local files on the machine running WhoDB. This flaw arises from unsafe string concatenation when building database connection URIs, allowing attackers to inject arbitrary parameters.

One such dangerous parameter is “allowAllFiles” in the github.com/go-sql-driver/mysql library. By injecting &allowAllFiles=true into the connection URI, an attacker can execute the LOAD DATA LOCAL INFILE query to access any file on the host machine.

Impact and Recommendations

The proof-of-concept exploits have already been developed, highlighting the ease with which attackers could leverage these flaws.

These vulnerabilities pose a significant threat to users of WhoDB, potentially leading to data breaches, unauthorized access, and system compromise. Both vulnerabilities affect WhoDB versions <= 0.45.0. The developers have addressed these issues in versions > 0.45.0, and users are strongly urged to update immediately.

In addition to updating, organizations using WhoDB should implement security measures such as network segmentation, access controls, and regular security audits to mitigate the risk of exploitation.