CVE-2025-68472 — HIGH (8.1)

Q: How severe is CVE-2025-68472?

CVE-2025-68472 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-68472?

Check the references section above for vendor advisories and patch information. Affected products include: Mindsdb Mindsdb.

Vulnerability Description

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Mindsdb	Mindsdb	< 25.11.1

Related Weaknesses (CWE)

CWE-22 CWE-36 CWE-23

References

FAQ

What is CVE-2025-68472?

CVE-2025-68472 is a vulnerability with a CVSS score of 8.1 (HIGH). MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files...

How severe is CVE-2025-68472?

CVE-2025-68472 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-68472?

Check the references section above for vendor advisories and patch information. Affected products include: Mindsdb Mindsdb.