CVE-2025-61777

EPSS 0.43%
Veröffentlicht 06.10.2025 16:44:27
Zuletzt bearbeitet 30.10.2025 13:53:37
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

FlagForge Allows Unauthenticated Badge Template API Access

Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Flagforge ≫ Flagforge Version >= 2.0 < 2.3.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.43%	0.345

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com	9.4	3.9	5.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-26rx-c53q-rjf9

Vendor Advisory

https://github.com/FlagForgeCTF/flagForge/commit/e2121c5fb7a512a49dcd875812c944265fb1a846

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-61777

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-61777

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-61777

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-61777