CVE-2025-69285

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-69285

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69285.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-69285

Aliases

GHSA-crfm-cch4-hjpv

Published

2026-01-21T20:05:22.108Z

Modified

2026-02-04T06:32:16.427474Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

SQLBot uploadExcel Endpoint has Unauthenticated Arbitrary File Upload vulnerability

Details

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas and inserted into the database via tosql() with ifexists='replace' mode. The vulnerability has been fixed in v1.5.0. No known workarounds are available.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69285.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-306"
    ]
}

References

Affected packages

Git / github.com/dataease/sqlbot

Affected ranges

Type: GIT
Repo: https://github.com/dataease/sqlbot
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9f891345788465b9593ac6a01af163a26fe0b509

Affected versions

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.2.0

v1.2.1

v1.3.0

v1.4.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69285.json"