CVE-2025-24786

Name of the Vulnerable Software and Affected Versions WhoDB versions prior to 0.45.0

Description The issue allows an unauthenticated attacker to open any Sqlite3 database present on the host machine that the application is running on, due to the lack of path traversal prevention. The database file is a user-controlled value used in .Join() with the default directory to get the full path of the database file to open. An attacker can use path traversal (../../) to open any Sqlite3 database present on the system.

Recommendations For WhoDB versions prior to 0.45.0, update to version 0.45.0 to patch this issue. As a temporary workaround, consider restricting access to the database files to minimize the risk of exploitation. Avoid using user-controlled input for the database file path until the issue is resolved. Before attempting to open the database, resolve and normalize the path to the database and check whether it is in the default directory. If not, present the user with an error.