CVE-2025-59843 in flagForgeinfo

Summary

by MITRE • 09/26/2025

Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public API responses while keeping the endpoint publicly accessible. Users should upgrade to version 2.3.2 or later to eliminate exposure. There are no workarounds for this vulnerability.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/29/2026

The vulnerability identified as CVE-2025-59843 affects Flag Forge, a Capture The Flag platform that serves as a collaborative environment for cybersecurity competitions and training exercises. This issue represents a significant information disclosure flaw that exposes sensitive user data through an otherwise publicly accessible API endpoint. The affected version range spans from 2.0.0 through 2.3.1, indicating that organizations using these versions remain at risk of exposing user email addresses to unauthorized parties. The vulnerability manifests through the /api/user/[username] endpoint which, when accessed, returns complete user profile information including email addresses in JSON format without proper access controls or authentication requirements.

The technical flaw stems from inadequate data sanitization and access control implementation within the application's API layer. Specifically, the platform fails to properly filter sensitive information from public API responses, allowing any authenticated or unauthenticated user to enumerate email addresses by making requests to the user endpoint with various username parameters. This represents a classic case of insufficient authorization checks and data exposure through API endpoints, which aligns with CWE-200 (Information Exposure) and CWE-668 (Allowing Access to Critical Functionality). The vulnerability demonstrates poor principle of least privilege implementation where public endpoints should not return sensitive user information, particularly email addresses that can be used for social engineering attacks, account enumeration, or targeted phishing campaigns.

The operational impact of this vulnerability extends beyond simple information disclosure, as email addresses represent critical user identifiers that can facilitate various attack vectors including credential stuffing, social engineering, and targeted phishing attempts. In the context of a CTF platform, where users often share their email addresses for competition registration and communication purposes, this exposure could enable attackers to identify active participants, correlate user activities across different systems, or conduct reconnaissance for more sophisticated attacks. The vulnerability affects the platform's security posture by potentially compromising user privacy and creating opportunities for attackers to gain intelligence about the user base. From an attacker's perspective, this vulnerability maps to ATT&CK technique T1589.001 (Credential Access: Credentials from Password Stores) and T1592 (Reconnaissance: Search Open Websites/Domains) as it enables passive reconnaissance through automated enumeration of user accounts.

The fix implemented in version 2.3.2 addresses the core issue by removing email addresses from public API responses while maintaining the endpoint's accessibility for legitimate use cases. This approach demonstrates proper security remediation through data filtering and access control enforcement, ensuring that sensitive information is not exposed through public interfaces. Organizations using Flag Forge should prioritize upgrading to version 2.3.2 or later to eliminate this exposure, as there are no viable workarounds available for this vulnerability. The remediation process should include comprehensive testing to ensure that legitimate API functionality remains intact while sensitive data is properly protected. Security teams should also conduct thorough audits of other public API endpoints to identify similar information disclosure vulnerabilities that may exist within the platform or related systems.

Responsible

GitHub M

Reservation

09/22/2025

Disclosure

09/26/2025

Moderation

accepted

CPE

ready

EPSS

0.00389

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!