CVE-2025-24786: WhoDB has a path traversal opening Sqlite3 database
(updated )
While the application only displays Sqlite3 databases present in the directory /db, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 database present on the host machine that the application is running on.
References
- github.com/advisories/GHSA-9r4c-jwx3-3j76
- github.com/clidey/whodb
- github.com/clidey/whodb/blob/ba6eb81d0ca40baead74bca58b2567166999d6a6/core/src/plugins/sqlite3/db.go
- github.com/clidey/whodb/blob/ba6eb81d0ca40baead74bca58b2567166999d6a6/core/src/plugins/sqlite3/db.go
- github.com/clidey/whodb/commit/547336ac73c8d17929c18c3941c0d5b0099753cc
- github.com/clidey/whodb/security/advisories/GHSA-9r4c-jwx3-3j76
- nvd.nist.gov/vuln/detail/CVE-2025-24786
Detect and mitigate CVE-2025-24786 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →