CVE-2025-59833
HIGHFlagForge 2.1.0-<2.3 - Unauthorized Exposure of Challenge Hints via API Endpoint
Title source: llmDescription
Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object, regardless of whether the user has unlocked them via point deduction. Users can view all hints for free, undermining the business logic of the platform and reducing the integrity of the challenge system. This issue has been patched in version 2.3.0.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-hm85-2j65-j8j2
Scores
CVSS v3
7.5
EPSS
0.0032
EPSS Percentile
23.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (1)
flagforge/flagforge
2.1.0 - 2.3
Published
Sep 24, 2025
Tracked Since
Feb 18, 2026