CVE-2025-24337: Insecure default config access in WriteFreely

January 20, 2025 (updated January 21, 2025)

WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini.

References

github.com/advisories/GHSA-3qc3-mx6x-267h
github.com/writefreely/writefreely
github.com/writefreely/writefreely/releases/tag/v0.15.1
nvd.nist.gov/vuln/detail/CVE-2025-24337
raphus.social/@TV4Fun/113846757112643161
www.openwall.com/lists/oss-security/2025/01/18/1

Code Behaviors & Features

Detect and mitigate CVE-2025-24337 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →