| Title | Open-Source LitmusChaos 3.19.0 Unauthorized Project Deletion via Missing Authorization Checks |
|---|
| Description | A critical vulnerability was identified in the LitmusChaos platform that allows any authenticated user to delete projects belonging to other users by manipulating the projectID parameter in a DELETE request. This occurs due to the absence of proper authorization checks on the backend.
Details
During testing, it was observed that when a user sends a request to delete a project, the backend accepts any valid projectID and proceeds with deletion without verifying if the user is authorized to perform the action. Specifically, the backend does not validate whether the requesting user is the owner or has sufficient privileges over the target project.
This flaw enables malicious users to craft requests with arbitrary projectID values, leading to the deletion of projects they do not own or manage.
Impact
Permanent deletion of other users' projects
Loss of critical data and disruption of service
Exploitable by any authenticated user |
|---|
| Source | ⚠️ https://github.com/MaiqueSilva/VulnDB/blob/main/readme06.md |
|---|
| User | maique (UID 88562) |
|---|
| Submission | 07/31/2025 04:30 (9 months ago) |
|---|
| Moderation | 08/09/2025 07:34 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 319324 [LitmusChaos Litmus up to 3.19.0 Delete Request /auth/delete_project/ projectID authorization] |
|---|
| Points | 20 |
|---|