PUBLISHED DATE: April 30, 2025CVE-2025-46619:
LFI Vulnerability

Description

A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2.7 for Windows that could allow unauthorized access to sensitive files. Depending on the level of privileges, this vulnerability may grant access to files such as /etc/passwd or /etc/shadow.

Products

• Couchbase Couchbase Server
• Couchbase Server 2.0.0
• COUCHBASE > couchbase server 2.*.*
• COUCHBASE > couchbase server 2.*.*
• COUCHBASE > couchbase server 2.*.*
• COUCHBASE > couchbase server 3.*.*
• COUCHBASE > couchbase server 3.*.*
• COUCHBASE > couchbase server 4.*.*
• COUCHBASE > couchbase server 4.*.*
• Couchbase Server 4.0.0
• COUCHBASE > couchbase server 4.*.*
• COUCHBASE > couchbase server 4.*.*
• COUCHBASE > couchbase server 4.*.*
• Couchbase Server 4.1.0
• Couchbase Server 4.1.1
• COUCHBASE > couchbase server 4.*.*
• COUCHBASE > couchbase server 4.*.*
• Couchbase Server 4.5.0
• COUCHBASE > couchbase server 4.*.*
• COUCHBASE > couchbase server 4.*.*
• Couchbase Server 4.5.1
• COUCHBASE > couchbase server 4.*.*
• Couchbase Server 4.6.0
• COUCHBASE > couchbase server 4.*.*
• Couchbase Server 4.6.2
• COUCHBASE > couchbase server 4.*.*
• Couchbase Server 4.6.3
• Couchbase Server 4.6.4
• Couchbase Server 4.6.5
• COUCHBASE > couchbase server 5.*.*
• COUCHBASE > couchbase server 5.*.*
• Couchbase Server 5.0.0
• COUCHBASE > couchbase server 5.*.*
• COUCHBASE > couchbase server 5.*.*
• Couchbase Server 5.0.1
• COUCHBASE > couchbase server 5.*.*
• Couchbase Server 5.1.0
• COUCHBASE > couchbase server 5.*.*
• COUCHBASE > couchbase server 5.*.*
• Couchbase Server 5.1.1
• Couchbase Server 5.1.2
• COUCHBASE > couchbase server 5.*.*
• Couchbase Server 5.1.3
• COUCHBASE > couchbase server 5.*.*
• Couchbase Server 5.5.0
• COUCHBASE > couchbase server 5.*.*
• Couchbase Server 5.5.1
• Couchbase Server 5.5.2
• COUCHBASE > couchbase server 5.*.*
• Couchbase Server 5.5.3
• COUCHBASE > couchbase server 5.*.*
• Couchbase Server 5.5.4
• Couchbase Server 5.5.5
• Couchbase Server 5.5.6
• COUCHBASE > couchbase server 6.*.*
• COUCHBASE > couchbase server 6.*.*
• Couchbase Server 6.0.0
• COUCHBASE > couchbase server 6.*.*
• Couchbase Server 6.0.1
• COUCHBASE > couchbase server 6.*.*
• Couchbase Server 6.0.2
• COUCHBASE > couchbase server 6.*.*
• Couchbase Server 6.0.3
• COUCHBASE > couchbase server 6.*.*
• Couchbase Server 6.0.4
• Couchbase Server 6.0.5
• Couchbase Server 6.0
• COUCHBASE > couchbase server 6.*.*
• COUCHBASE > couchbase server 6.*.*
• COUCHBASE > couchbase server 6.*.*
• Couchbase Server 6.5.0
• COUCHBASE > couchbase server 6.*.*
• COUCHBASE > couchbase server 6.*.*
• Couchbase Server 6.5.1
• Couchbase Server 6.5.2
• COUCHBASE > couchbase server 6.*.*
• COUCHBASE > couchbase server 6.*.*
• Couchbase Server 6.6.0
• COUCHBASE > couchbase server 6.*.*
• Couchbase Server 6.6.1
• COUCHBASE > couchbase server 6.*.*
• COUCHBASE > couchbase server 6.*.*
• Couchbase Server 6.6.2
• COUCHBASE > couchbase server 6.*.*
• Couchbase Server 6.6.3
• COUCHBASE > couchbase server 6.*.*
• COUCHBASE > couchbase server 6.*.*
• Couchbase Server 6.6.6
• COUCHBASE > couchbase server 7.*.*
• COUCHBASE > couchbase server 7.*.*
• COUCHBASE > couchbase server 7.*.*
• Couchbase Server 7.0.0
• Couchbase Server 7.0.0 Beta
• COUCHBASE > couchbase server 7.*.*
• COUCHBASE > couchbase server 7.*.*
• Couchbase Server 7.0.1
• COUCHBASE > couchbase server 7.*.*
• COUCHBASE > couchbase server 7.*.*
• Couchbase Server 7.0.2
• COUCHBASE > couchbase server 7.*.*
• Couchbase Server 7.0.3
• Couchbase Server 7.0.4
• Couchbase Server 7.0.5
• Couchbase Server 7.1.0
• Couchbase Server 7.1.1
• Couchbase Server 7.1.2
• Couchbase Server 7.1.3
• Couchbase Server 7.1.4
• Couchbase Server 7.1.5
• Couchbase Server 7.2.0
• Couchbase Server 7.2.1
• Couchbase Server 7.2.2
• Couchbase Server 7.2.3
• Couchbase Server 7.2.4
• Couchbase Server 7.2.5
• Couchbase Server 7.2.6
• Couchbase Server 7.6.0
• Couchbase Server 7.6.1
• Couchbase Server 7.6.2
• Couchbase Server 7.6.3

Questions to Ask Vendors

1. Have you upgraded all instances of Couchbase Server to version 7.6.4 (cross-platform) or 7.2.7 (Windows) to mitigate the risk of CVE-2025-46619?
2. Can you confirm that you have implemented monitoring and auditing measures to detect unusual file-read attempts, specifically related to potential exploitation of the Local File Inclusion (LFI) vulnerability in Couchbase Server?
3. Have you conducted an internal verification to inventory all Windows deployments of Couchbase Server and confirmed they are running versions 7.2.7 or higher?
4. Have you reviewed and adjusted the configuration of any web-facing interfaces to ensure they do not expose arbitrary file paths, as recommended in the remediation measures for CVE-2025-46619?

Recommended Actions

• Configuration Review: Ensure that any web-facing interfaces do not expose arbitrary file paths.
• Harden File Permissions: Restrict database process permissions to prevent unauthorized file reads.
• Immediate Upgrade: Upgrade all Couchbase Server instances to 7.6.4 (cross-platform) or 7.2.7 (Windows) to remediate the LFI flaw.
• Internal Verification: Inventory Windows deployments and confirm they are running ≥ 7.2.7 via configuration management tools.
• Monitoring & Audit: Monitor access logs for unusual file-read attempts and conduct regular vulnerability scans.

References

• http://webappsec.pbworks.com/Insufficient-Authorization
• https://capec.mitre.org/data/definitions/19.html
• https://capec.mitre.org/data/definitions/441.html
• https://capec.mitre.org/data/definitions/478.html
• https://capec.mitre.org/data/definitions/479.html
• https://capec.mitre.org/data/definitions/502.html
• https://capec.mitre.org/data/definitions/503.html
• https://capec.mitre.org/data/definitions/536.html
• https://capec.mitre.org/data/definitions/546.html
• https://capec.mitre.org/data/definitions/550.html
• https://capec.mitre.org/data/definitions/551.html
• https://capec.mitre.org/data/definitions/552.html
• https://capec.mitre.org/data/definitions/556.html
• https://capec.mitre.org/data/definitions/558.html
• https://capec.mitre.org/data/definitions/562.html
• https://capec.mitre.org/data/definitions/563.html
• https://capec.mitre.org/data/definitions/564.html
• https://capec.mitre.org/data/definitions/578.html
• https://nvd.nist.gov/vuln/detail/CVE-2025-46619
• https://securityonline.info/cve-2025-46619-lfi-vulnerability-affects-multiple-versions-of-couchbase-server-for-windows/
• https://www.couchbase.com/alerts/