CVE-2025-51867

MEDIUM

Deepfiction AI - Insecure Direct Object Reference via /browse/stories Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-51867. PoCs published by Secsys-FDU.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-51867, an Insecure Direct Object Reference (IDOR) vulnerability in Deepfiction AI's web application. It explains how attackers can exploit leaked `treatment_id` and `user_id` fields to consume other users' credits and access sensitive role configurations.

Description

Insecure Direct Object Reference (IDOR) vulnerability in Deepfiction AI (deepfiction.ai) thru June 3, 2025, allowing attackers to chat with the LLM using other users' credits via sensitive information gained by the /browse/stories endpoint.

Exploits (1)

nomisec WRITEUP
by Secsys-FDU · poc
https://github.com/Secsys-FDU/CVE-2025-51867

This repository provides a detailed technical analysis of CVE-2025-51867, an Insecure Direct Object Reference (IDOR) vulnerability in Deepfiction AI's web application. It explains how attackers can exploit leaked `treatment_id` and `user_id` fields to consume other users' credits and access sensitive role configurations.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Deepfiction AI web application
No auth needed
Prerequisites: Access to publicly accessible conversations on Deepfiction AI · Ability to intercept/modify API requests
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 6.5
EPSS 0.0029
EPSS Percentile 20.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-639
Status published
Published Jul 22, 2025
Tracked Since Feb 18, 2026