Security Vulnerability in Vitess vtbackup Tool Allows RCE and Arbitrary File Writes

The post reports a security vulnerability in Vitess’s vtbackup tool, where untrusted fields in a MANIFEST file can lead to remote code execution (RCE) and arbitrary file writes. The issue arises from improper handling of user-controlled input within the MANIFEST file. Vitess is an open-source database clustering system for horizontal scaling of MySQL.