CVE-2025-24369
LOWAnubis < v1.11.0-37 - Client-Specified Difficulty Bot Protection Bypass
Title source: manualDescription
Anubis is a tool that allows administrators to protect bots against AI scrapers through bot-checking heuristics and a proof-of-work challenge to discourage scraping from multiple IP addresses. Anubis allows attackers to bypass the bot protection by requesting a challenge, formulates any nonce (such as 42069), and then passes the challenge with difficulty zero. Commit e09d0226a628f04b1d80fd83bee777894a45cd02 fixes this behavior by not using a client-specified difficulty value.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Xe/x/security/advisories/GHSA-56w8-8ppj-2p4f
Patch x_refsource_misc
https://github.com/Xe/x/commit/7bd7b209f4f1b897de85ec8973458dc8be606a8b
Patch x_refsource_misc
https://github.com/Xe/x/commit/e09d0226a628f04b1d80fd83bee777894a45cd02
Various Sources x_refsource_misc
https://xeiaso.net/notes/2025/GHSA-56w8-8ppj-2p4f
Scores
CVSS v4
2.3
EPSS
0.0038
EPSS Percentile
29.9%
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-807
Status
published
Products (1)
Xe/x
< v1.11.0-37-gd98d70a
Published
Jan 27, 2025
Tracked Since
Feb 18, 2026