Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2025-69285

SQLBot uploadExcel Endpoint has Unauthenticated Arbitrary File Upload vulnerability
Back to all
CVE

CVE-2025-69285

SQLBot uploadExcel Endpoint has Unauthenticated Arbitrary File Upload vulnerability

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas and inserted into the database via tosql() with ifexists='replace' mode. The vulnerability has been fixed in v1.5.0. No known workarounds are available.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.7
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69285.json, https://github.com/dataease/SQLBot/releases/tag/v1.5.0, https://github.com/dataease/SQLBot/security/advisories/GHSA-crfm-cch4-hjpv, https://nvd.nist.gov/vuln/detail/CVE-2025-69285

Severity

0

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
0
EPSS Probability
0.00109%
EPSS Percentile
0.29077%
Introduced Version
0
Fix Available
9f891345788465b9593ac6a01af163a26fe0b509

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading