CVE-2025-24787

CVSS 3.1 Score 8.6 of 10 (high)

Details

Published Feb 6, 2025

CWE ID 943

Summary

CVE-2025-24787 affects WhoDB, an open source database management tool. The application is vulnerable to parameter injection in database connection strings due to unsafe string concatenation. An attacker can exploit this vulnerability by setting the `allowAllFiles` parameter to `true` in the library `github.com/go-sql-driver/mysql`. This allows the running of `LOAD DATA LOCAL INFILE` queries on any file on the host machine, potentially granting the attacker unauthorized access to local files. WhoDB users are advised to upgrade to version 0.45.0 to mitigate this risk. There are no known workarounds for this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/2usT_H
https://www.cve.org/CVERecord?id=CVE-2025-24787
https://nvd.nist.gov/vuln/detail/CVE-2025-24787

Back to Vulnerability Database

CVE-2025-24787

CVSS 3.1 Score 8.6 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations