CVE-2025-59833

Name of the Vulnerable Software and Affected Versions Flag Forge versions 2.1.0 through 2.2.9

Description Flag Forge is a Capture The Flag (CTF) platform. The API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object, regardless of whether the user has unlocked them. This allows users to view all hints for free, undermining the platform’s business logic and reducing the integrity of the challenge system. The vulnerable parameter is id.

Recommendations Update to version 2.3.0 or later.