Platform
other
Component
flagforge
Fixed in
2.0.1
CVE-2025-61777 is a critical authentication bypass vulnerability affecting FlagForge versions 2.0.0 through 2.3.1. An attacker can exploit this flaw to access and manipulate badge templates without proper authorization, leading to data exposure and potential database corruption. The vulnerability resides in the /api/admin/badge-templates endpoints and has been resolved in FlagForge version 2.3.2.
This vulnerability presents a significant risk to FlagForge deployments. An unauthenticated attacker can leverage the missing authentication checks on the /api/admin/badge-templates endpoints to retrieve all badge templates and their associated metadata, including createdBy, createdAt, and updatedAt. Beyond data exposure, an attacker could create arbitrary badge templates, potentially injecting malicious code or disrupting the CTF platform's functionality. The impact extends to the integrity and confidentiality of the CTF environment, potentially compromising the fairness and security of challenges. This is akin to a privilege escalation, granting an attacker administrative-level access to a critical component of the platform.
This vulnerability was publicly disclosed on 2025-10-06. There is no indication of this CVE being added to the CISA KEV catalog at this time. The lack of authentication on administrative endpoints is a common vulnerability pattern, and while no public proof-of-concept (PoC) has been observed, the ease of exploitation suggests a potential for active campaigns targeting FlagForge instances.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade FlagForge to version 2.3.2 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding authentication checks to the /api/admin/badge-templates endpoints. This could involve implementing a basic authentication scheme or restricting access based on user roles. Review existing badge templates for any signs of unauthorized modification. Monitor access logs for suspicious activity targeting the /api/admin/badge-templates endpoints. After upgrading, confirm the fix by attempting to access the /api/admin/badge-templates endpoints without authentication and verifying that access is denied.
Update FlagForge to version 2.3.2 or later. This version fixes the vulnerability that allows unauthenticated access to badge templates. The update requires authentication and authorization to access and modify templates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-61777 is a critical vulnerability in FlagForge versions 2.0.0 through 2.3.1 that allows attackers to access badge templates without authentication, potentially exposing sensitive data and enabling database manipulation.
If you are running FlagForge versions 2.0.0 through 2.3.1, you are vulnerable. Upgrade to version 2.3.2 or later to mitigate the risk.
The recommended fix is to upgrade to FlagForge version 2.3.2 or later. As a temporary workaround, implement authentication checks on the /api/admin/badge-templates endpoints.
While no active exploitation has been confirmed, the ease of exploitation suggests a potential for attacks. Continuous monitoring is recommended.
Refer to the official FlagForge security advisory for detailed information and updates: [https://flagforge.org/security/advisories](https://flagforge.org/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.