CVE-2025-24786: WhoDB Path Traversal Vulnerability in Database Management Tool

Content: WhoDB is an open-source database management tool that provides an intuitive interface and powerful features for managing SQLite3 databases. Recently, a significant security vulnerability has been discovered in certain versions of WhoDB that allows unauthorized access to SQLite3 databases outside the default /db directory. This path traversal vulnerability enables unauthenticated attackers to view, modify, or even delete vital data on the host system.

Affected Versions

WhoDB versions with the path traversal vulnerability include connections to SQLite3 databases by default. The databases are typically located in the /db/ directory, or the ./tmp/ directory if development mode is enabled. When no databases are available in these default directories, the UI prevents users from opening or managing them.

The core issue arises from the way WhoDB handles user-controlled database values. To obtain the full path of a database file, WhoDB uses the .Join() method along with the default directory. No checks are performed to ensure that the accessed database file resides within the specified default directory.

Exploit Details

An attacker can exploit the unguarded .Join() method by inserting a path traversal sequence like ../../ into the user-controlled value. By doing so, the attacker's manipulated path allows them to open any SQLite3 database present on the host system. Consequently, this grants them unauthorized access to sensitive data, potentially resulting in data leaks or corruption.

Here's a simple code snippet to illustrate the vulnerability

const defaultDir = "/db";
const userControlledValue = "../../some-sensitive-db.db";
const targetDbPath = path.Join(defaultDir, userControlledValue);

// No checks to verify that targetDbPath is inside the defaultDir
db.connect(targetDbPath);

Mitigation

To address this vulnerability, the WhoDB developers have released version .45., which includes appropriate checks and path traversal prevention. All users are strongly advised to update their WhoDB installation to the latest version. You can find the updated version on the official WhoDB GitHub repository.

As of now, there are no known workarounds for users who cannot upgrade to the latest version. Upgrading should be considered the only effective solution to protect your databases from unauthorized access and potential data breaches.

Additional Resources

To learn more about this CVE and the recommended steps to address the issue, refer to the following resources:

- National Vulnerability Database (NVD) CVE-2025-24786
- OWASP Top Ten: Insecure Direct Object References (IDOR) / Path Traversal
- SQLite3 Official Documentation

Timeline

Published on: 02/06/2025 19:15:20 UTC
Last modified on: 02/06/2025 20:15:40 UTC