Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-61777

Good to know:

icon

Date: October 6, 2025

Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the "/api/admin/badge-templates" (GET) and "/api/admin/badge-templates/create" (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available.

Severity Score

Related Resources (4)

https://github.com/FlagForgeCTF/flagForge/commit/e2121c5fb7a512a49dcd875812c944265fb1a846
https://nvd.nist.gov/vuln/detail/CVE-2025-61777
https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-26rx-c53q-rjf9
https://www.mend.io/vulnerability-database/CVE-2025-61777

Severity Score

Weakness Type (CWE)

Improper Access Control

CWE-284

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Missing Authentication for Critical Function

CWE-306

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/FlagForgeCTF/flagForge.git - v2.3.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): LOW

Do you need more information?

Contact Us