cvedb.io
CVE-2025-24787
HIGH · CVSS 8.6
EPSS exploitation probability: 0%
Published 2025-02-06T19:15:20.213 · Last modified 2026-06-17T08:59:36.530

Summary

WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. The application uses string concatenation to build database connection URIs which are then passed to corresponding libraries responsible for setting up the database connections. This string concatenation is done unsafely and without escaping or encoding the user input. This allows an user, in many cases, to inject arbitrary parameters into the URI string. These parameters can be potentially dangerous depending on the libraries used. One of these dangerous parameters is `allowAllFiles` in the library `github.com/go-sql-driver/mysql`. Should this be

Affected products

clidey — whodb

Does this affect you?

Add your gear to cvedb and we'll alert you only when clidey ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.