CVE-2025-23044
📋 TL;DR
PwnDoc lacks CSRF protection, allowing attackers to perform actions on behalf of logged-in users without their consent. This affects all PwnDoc instances with default configurations where users are authenticated. Attackers can trigger GET and POST requests to modify reports or perform other authenticated actions.
💻 Affected Systems
- PwnDoc
📦 What is this software?
Pwndoc by Pwndoc Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify or delete penetration test reports, create malicious reports, or perform administrative actions if admin users are targeted, potentially compromising the integrity of security assessments.
Likely Case
Attackers trick authenticated users into clicking malicious links that modify existing reports or create unauthorized entries, leading to data corruption or unauthorized access to sensitive information.
If Mitigated
With proper CSRF protections and SameSite cookie attributes, attackers cannot forge authenticated requests, limiting impact to other vulnerabilities that don't require CSRF.
🎯 Exploit Status
Exploitation requires the victim to be authenticated and visit a malicious page. Standard CSRF techniques apply - no special tools needed beyond basic web development knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 14acb704891245bf1703ce6296d62112e85aa995
Vendor Advisory: https://github.com/pwndoc/pwndoc/security/advisories/GHSA-9v2v-jxvw-52rq
Restart Required: Yes
Instructions:
1. Update to the latest PwnDoc version containing commit 14acb704891245bf1703ce6296d62112e85aa995
2. Restart the PwnDoc application
3. Verify CSRF tokens are now being generated and validated for all state-changing requests
🔧 Temporary Workarounds
Add SameSite cookie attribute
allManually configure session cookies with SameSite=Strict attribute to prevent cross-site requests
Modify PwnDoc configuration to set session.cookie.samesite = 'Strict' in application settings
Implement CSRF middleware
allAdd custom CSRF protection middleware if unable to patch immediately
Implement CSRF token generation and validation for all POST/PUT/DELETE endpoints
🧯 If You Can't Patch
- Deploy a WAF with CSRF protection rules to block cross-site requests
- Isolate PwnDoc instance to internal network only and restrict user access to trusted sources
🔍 How to Verify
Check if Vulnerable:
Check if authenticated requests lack CSRF tokens and if session cookies don't have SameSite attribute set. Test by attempting to submit a form from a different origin.Check Version:
Check git log for commit 14acb704891245bf1703ce6296d62112e85aa995 or compare version against patched releasesVerify Fix Applied:
Verify that all state-changing requests now include and validate CSRF tokens, and session cookies have SameSite=Strict attribute.📡 Detection & Monitoring
Log Indicators:
- Multiple failed state-changing requests from same IP without CSRF tokens
- Unusual report modifications from users without corresponding UI interactions
Network Indicators:
- HTTP requests to PwnDoc endpoints with Referer headers from external domains
- POST requests lacking Origin header validation
SIEM Query:
source="pwnedoc" AND (http_method="POST" OR http_method="PUT" OR http_method="DELETE") AND NOT csrf_token=*