Plattform
python
Komponente
mindsdb
Behoben in
25.11.2
25.11.1
CVE-2025-68472 describes a Path Traversal vulnerability affecting MindsDB, a platform for building AI from enterprise data. This flaw allows unauthenticated attackers to read sensitive files from the server's filesystem and potentially move them into MindsDB's storage. The vulnerability impacts versions of MindsDB up to and including 25.9.3rc1, and a fix is available in version 25.11.1.
The primary impact of CVE-2025-68472 is the potential for unauthorized access to sensitive data stored on the server. The path traversal vulnerability allows an attacker to bypass access controls and read any file that the mindsdb process has permissions to access. This could include configuration files, database backups, or even source code. While the vulnerability is classified as a DoS, the ability to read arbitrary files significantly expands the attack surface and potential for data breaches. The lack of authentication makes exploitation relatively straightforward, increasing the risk of widespread compromise.
CVE-2025-68472 was publicly disclosed on 2026-01-12. The vulnerability is considered to have a medium exploitation probability based on the ease of exploitation and the lack of authentication requirements. No public proof-of-concept exploits have been identified at the time of writing, but the simplicity of the path traversal makes it likely that exploits will emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Organizations utilizing MindsDB for AI development and deployment, particularly those storing sensitive data within the platform, are at risk. Environments with limited network segmentation or inadequate input validation on file upload endpoints are especially vulnerable. Shared hosting environments running MindsDB are also at increased risk due to potential cross-tenant access.
• python / server:
grep -r "file.py" /opt/mindsdb/app/mindsdb/
grep -r "source_type is not " url"" /opt/mindsdb/app/mindsdb/file.pydisclosure
Exploit-Status
EPSS
0.45% (64% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-68472 is to immediately upgrade to mindsdb version 25.11.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds to restrict access to the file upload API. This could involve implementing stricter input validation on the file parameter within the PUT handler in file.py, ensuring that user-provided data is properly sanitized before being used to construct file paths. Additionally, review and restrict file system permissions for the mindsdb process to limit the scope of potential data exposure. After upgrading, confirm the fix by attempting a path traversal attack against the file upload API and verifying that access is denied.
Actualice MindsDB a la versión 25.11.1 o superior. Esta versión corrige la vulnerabilidad de path traversal en la API de carga de archivos, evitando la lectura de archivos arbitrarios y la exposición de datos sensibles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68472 is a Path Traversal vulnerability in MindsDB versions up to 25.9.3rc1, allowing unauthenticated attackers to read sensitive files.
You are affected if you are running MindsDB version 25.9.3rc1 or earlier. Upgrade to 25.11.1 to resolve the issue.
Upgrade MindsDB to version 25.11.1 or later. As a temporary workaround, restrict network access to the file upload API.
There is no confirmed active exploitation of CVE-2025-68472 at this time, but the HIGH severity score warrants immediate attention.
Refer to the official MindsDB security advisory for detailed information and updates regarding CVE-2025-68472.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.