CVE-2025-24787: WhoDB allows parameter injection in DB connection URIs leading to local file inclusion
(updated )
The application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on.
References
- github.com/advisories/GHSA-c7w4-9wv8-7x7c
- github.com/clidey/whodb
- github.com/clidey/whodb/commit/8d67b767e00552e5eba2b1537179b74bfa662ee1
- github.com/clidey/whodb/security/advisories/GHSA-c7w4-9wv8-7x7c
- github.com/go-sql-driver/mysql/blob/7403860363ca112af503b4612568c3096fecb466/infile.go
- nvd.nist.gov/vuln/detail/CVE-2025-24787
Detect and mitigate CVE-2025-24787 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →