CVE-2025-62614

CVSS v4.0

8.7

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions BookLore versions 1.8.1 and prior

Description BookLore is a self-hosted web app for managing book collections. Versions prior to a recent update have an authentication bypass issue in the

BookMediaController

. This allows unauthenticated users to access and download book covers, thumbnails, and complete PDF/CBZ page content without authorization. The issue stems from missing access control annotations on multiple media endpoints and the

CoverJwtFilter

continuing request processing even without an authentication token. This enables attackers to enumerate and exfiltrate book content, bypassing download permissions. The issue was addressed with commit b226c43.

Recommendations Update BookLore to a version later than 1.8.1.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2025-62614

GHSA-363G-FHCQ-HVQP

Affected Products

Booklore

CVE-2025-62614

Weakness Enumeration

Related Identifiers

Affected Products

References · 8