CVE-2025-24899
📋 TL;DR
This vulnerability in reNgine allows any authenticated user (including those with low-privilege roles like Auditor) to extract sensitive information about other users by exploiting an API endpoint. The attacker can retrieve usernames, passwords, emails, roles, and activity information. All reNgine instances running vulnerable versions are affected.
💻 Affected Systems
- reNgine
📦 What is this software?
Rengine by Yogeshojha
⚠️ Risk & Real-World Impact
Worst Case
An insider attacker could extract all user credentials and sensitive data, leading to complete account compromise, privilege escalation, and potential lateral movement within the organization's infrastructure.
Likely Case
Insider threat actors with legitimate access could harvest sensitive user information for credential reuse, social engineering, or unauthorized access to other systems.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained, limiting data exposure to a small subset of users.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The attacker needs to run a scan first to trigger the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.0
Vendor Advisory: https://github.com/yogeshojha/rengine/security/advisories/GHSA-r3fp-xr9f-wv38
Restart Required: No
Instructions:
1. Backup your current reNgine installation and database. 2. Update to version 2.2.0 using git pull or by downloading the latest release. 3. Run database migrations if required. 4. Verify the fix by testing the /api/listVulnerability/ endpoint.
🔧 Temporary Workarounds
No workarounds available
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate reNgine instances from sensitive systems.
- Enhance monitoring and alerting for suspicious API calls to /api/listVulnerability/ endpoint.
🔍 How to Verify
Check if Vulnerable:
Check if your reNgine version is below 2.2.0 by examining the version in the web interface or checking the installation directory.Check Version:
Check the web interface or examine the reNgine installation directory for version information.Verify Fix Applied:
After upgrading to 2.2.0, attempt to access the /api/listVulnerability/ endpoint with a low-privilege user account and verify it no longer returns sensitive user information.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /api/listVulnerability/ from the same user in a short timeframe
- Unusual API access patterns from low-privilege roles
Network Indicators:
- HTTP GET requests to /api/listVulnerability/ endpoint followed by data exfiltration patterns
SIEM Query:
source="rengine" AND (url_path="/api/listVulnerability/" OR endpoint="/api/listVulnerability/") AND user_role IN ("auditor", "penetration_tester", "sys_admin")