CVE-2025-13699
Directory Traversal in MariaDB mariadb-dump Enables Remote Code Execution
Publication date: 2025-12-23
Last updated on: 2025-12-23
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mariadb | mariadb | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the MariaDB mariadb-dump utility involves improper validation of user-supplied view names, leading to directory traversal. This flaw allows remote attackers to execute arbitrary code by manipulating file paths used in file operations within mariadb-dump, executing code with the privileges of the current user.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary code remotely on affected MariaDB installations, potentially leading to unauthorized access, data manipulation, or system compromise under the current user's privileges.