| Snyk

Threat Intelligence

Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Neutralization of Special Elements in Data Query Logic vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-GOLANG-GITHUBCOMCLIDEYWHODBCORESRCPLUGINSMYSQL-8689574
published7 Feb 2025
disclosed6 Feb 2025
creditRasmus Moorats

Report a new vulnerability Found a mistake?

Introduced: 6 Feb 2025

NewCVE-2025-24787 (opens in a new tab) CWE-943 (opens in a new tab)

How to fix?

Upgrade github.com/clidey/whodb/core/src/plugins/mysql to version 0.46.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the database connection URI construction process due to improper input sanitization. An attacker can read local files on the host machine by injecting parameters such as &allowAllFiles=true into the connection string of the library github.com/go-sql-driver/mysql, which manipulates the behavior of the database connection library to allow loading data from any local file.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
High
Integrity (SI)
None
Availability (SA)
None

Improper Neutralization of Special Elements in Data Query Logic Affecting github.com/clidey/whodb/core/src/plugins/mysql package, versions <0.46.0

Severity