CVE-2025-24787

Name of the Vulnerable Software and Affected Versions WhoDB versions prior to 0.45.0

Description The application is vulnerable to parameter injection in database connection strings, allowing an attacker to read local files on the machine the application is running on. This is due to the use of string concatenation to build database connection URIs without escaping or encoding user input, enabling users to inject arbitrary parameters into the URI string. One such parameter is allowAllFiles in the github.com/go-sql-driver/mysql library, which, if set to true, allows the execution of the LOAD DATA LOCAL INFILE query on any file on the host machine. By injecting &allowAllFiles=true into the connection URI and connecting to any MySQL server, an attacker can read local files.

Recommendations For WhoDB versions prior to 0.45.0, upgrade to version 0.45.0 to address the issue. As a temporary workaround, consider restricting access to the github.com/go-sql-driver/mysql library or avoiding the use of the allowAllFiles parameter in the database connection string until the issue is resolved.