CVE-2025-68472

Published Jan 12, 2026

Last updated 2 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-68472 describes an unauthenticated path traversal vulnerability found in MindsDB, a platform designed for building artificial intelligence from enterprise data. This flaw affects versions of MindsDB prior to 25.11.1. The vulnerability stems from improper sanitization within the file upload API, specifically in the `file.py` PUT handler. When the request body is in JSON format and the `source_type` is not "url", user-controlled data is directly incorporated into a filesystem path. This oversight allows an attacker to read arbitrary files from the server's filesystem and subsequently move them into MindsDB's storage, potentially exposing sensitive data.

Description: MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1.
Source: security-advisories@github.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 8.1
Impact score: 5.2
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Severity: HIGH

Weaknesses

security-advisories@github.com: CWE-22

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 10

References