CVE-2025-24786 Overview
CVE-2025-24786 is a critical path traversal vulnerability in WhoDB, an open source database management tool. The vulnerability allows unauthenticated attackers to bypass directory restrictions and access any SQLite3 database present on the host system. While WhoDB is designed to only display SQLite3 databases from the /db directory, the application lacks proper path traversal prevention, enabling attackers to use sequences like ../../ to navigate to arbitrary filesystem locations and open sensitive database files.
Critical Impact
Unauthenticated attackers can access any SQLite3 database on the host system through path traversal, potentially exposing sensitive data, credentials, and application secrets stored in databases outside the intended directory.
Affected Products
- Clidey WhoDB versions prior to 0.45.0
- WhoDB installations with SQLite3 database support enabled
- WhoDB development mode instances (using ./tmp/ directory)
Discovery Timeline
- 2025-02-06 - CVE-2025-24786 published to NVD
- 2025-12-31 - Last updated in NVD database
Technical Details for CVE-2025-24786
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in WhoDB's SQLite3 database handling functionality. The application is designed to restrict database access to files within the /db/ directory (or ./tmp/ in development mode). When no databases are present in these default directories, the UI correctly indicates that no databases are available to open.
However, the database file path is a user-controlled value that gets concatenated using Go's .Join() function with the default directory to construct the full path. The critical flaw is that no validation is performed to verify whether the resolved database file actually resides within the intended /db directory after path resolution. This allows attackers to supply path traversal sequences to escape the restricted directory and access any SQLite3 database file readable by the application process.
Root Cause
The root cause is improper input validation in the SQLite3 plugin's database path handling logic. The vulnerable code in core/src/plugins/sqlite3/db.go accepts user-supplied database filenames and joins them with the base directory without sanitizing path traversal sequences. The application trusts user input without verifying that the final resolved path remains within the allowed directory boundary.
Attack Vector
The attack can be executed remotely over the network without any authentication requirements. An attacker sends a request to the WhoDB application specifying a crafted database filename containing path traversal sequences such as ../../etc/sensitive.db. The application's .Join() function combines this with the default /db directory, but the traversal sequences navigate up and out of the restricted directory to access databases elsewhere on the filesystem.
The vulnerability is particularly dangerous because it requires no user interaction and can be exploited by any network-accessible attacker against exposed WhoDB instances. For detailed technical analysis, refer to the GitHub Security Advisory and the vulnerable code implementation.
Detection Methods for CVE-2025-24786
Indicators of Compromise
- HTTP requests to WhoDB containing path traversal patterns (../, ..%2f, %2e%2e/) in database file parameters
- Unexpected database file access attempts logged by the application or operating system
- Access to SQLite3 database files outside the /db or ./tmp directories by the WhoDB process
- Anomalous network traffic patterns indicating automated scanning for path traversal vulnerabilities
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal sequences in request parameters
- Monitor application logs for database connection attempts referencing files outside expected directories
- Deploy file integrity monitoring on sensitive SQLite3 databases to detect unauthorized access
- Use network intrusion detection systems with signatures for common path traversal attack patterns
Monitoring Recommendations
- Enable detailed logging for all database connection attempts in WhoDB
- Configure alerts for any access to SQLite3 files outside the designated /db directory
- Monitor the WhoDB process for file access operations using tools like auditd or endpoint detection solutions
- Implement SentinelOne Singularity platform for real-time detection of exploitation attempts and behavioral anomalies
How to Mitigate CVE-2025-24786
Immediate Actions Required
- Upgrade WhoDB to version 0.45.0 or later immediately
- Restrict network access to WhoDB instances using firewall rules until patching is complete
- Audit logs for any historical exploitation attempts using path traversal patterns
- Implement network segmentation to limit exposure of database management interfaces
Patch Information
The vulnerability has been addressed in WhoDB version 0.45.0. All users are strongly advised to upgrade to this version or later. The patch implements proper path validation to ensure that database files cannot be accessed outside the designated directories. For detailed patch information, consult the official security advisory.
Workarounds
- No official workarounds are available for this vulnerability according to the vendor advisory
- As a temporary measure, restrict network access to WhoDB to trusted IP addresses only
- Consider disabling SQLite3 database support if not required until patching is possible
- Deploy a reverse proxy with path traversal filtering as an additional defense layer
# Example: Restrict WhoDB access using iptables (temporary mitigation)
# Only allow connections from trusted management network
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
