PT-2025-40914 · Flagforge · Flagforge

0X0W1Z

Published

2025-10-06

Updated

2025-10-30

CVE-2025-61777

CVSS v3.1

9.4

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions FlagForge versions 2.0.0 through 2.3.2

Description FlagForge, a Capture The Flag (CTF) platform, had endpoints that did not require authentication or authorization. Specifically, the /api/admin/badge-templates (GET) and /api/admin/badge-templates/create (POST) endpoints allowed unauthorized access. This allowed retrieval of badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and the creation of arbitrary badge templates in the database. This could lead to data exposure and database pollution. The issue affected the badge system.

Recommendations Versions prior to 2.3.2 should be updated to version 2.3.2 or later.

Exploit

Fix

Improper Access Control

Information Disclosure

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-200CWE-306

Related Identifiers

CVE-2025-61777

GHSA-26RX-C53Q-RJF9

Affected Products

Flagforge

PT-2025-40914 · Flagforge · Flagforge

CVE-2025-61777

Weakness Enumeration

Related Identifiers

Affected Products

References · 11