CVE-2025-3966
📋 TL;DR
This vulnerability in paicoding 1.0.3 allows unauthorized users to view other users' browsing history through the /user/home endpoint. Attackers can remotely exploit this information disclosure vulnerability to access sensitive user activity data. All systems running the affected version are vulnerable.
💻 Affected Systems
- itwanger paicoding
📦 What is this software?
Paicoding by Itwanger
⚠️ Risk & Real-World Impact
Worst Case
Attackers could systematically harvest browsing history of all users, potentially revealing sensitive personal information, search patterns, or internal system usage that could be used for social engineering or further attacks.
Likely Case
Attackers will access browsing history of random or targeted users, potentially exposing personal preferences, frequently visited content, or other non-critical but private user activity data.
If Mitigated
With proper access controls and input validation, the vulnerability would be prevented, limiting access to only authorized users' own browsing history.
🎯 Exploit Status
Exploit details are publicly available on GitHub, showing simple parameter manipulation to access other users' browsing history.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None known
Restart Required: No
Instructions:
No official patch available. Check GitHub repository for updates or implement workarounds.
🔧 Temporary Workarounds
Implement Access Control
allAdd server-side validation to ensure users can only access their own browsing history by verifying userId parameter matches authenticated user.
Input Validation
allImplement proper input validation and sanitization for userId parameter to prevent unauthorized access.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests with suspicious userId parameter patterns
- Restrict access to the /user/home endpoint using network segmentation or authentication requirements
🔍 How to Verify
Check if Vulnerable:
Test by accessing /user/home?userId=1&homeSelectType=read and attempting to view browsing history of different user IDs than your authenticated session.Check Version:
Check application version in configuration files or about pageVerify Fix Applied:
After implementing fixes, verify that users can only access their own browsing history and attempts to access other users' data are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Multiple failed access attempts to /user/home with different userId parameters
- Unauthorized access patterns to browsing history endpoints
Network Indicators:
- Unusual parameter manipulation in /user/home requests
- Multiple userId values being tested in short timeframes
SIEM Query:
source="web_logs" AND uri_path="/user/home" AND (userId != authenticated_user_id OR multiple_userId_values)🔗 References
- https://github.com/uglory-gll/javasec/blob/main/paicoding.md
- https://github.com/uglory-gll/javasec/blob/main/paicoding.md#21userhomeuserid1homeselecttyperead-view-browsing-history-of-others
- https://vuldb.com/?ctiid.306302
- https://vuldb.com/?id.306302
- https://vuldb.com/?submit.557250
- https://github.com/uglory-gll/javasec/blob/main/paicoding.md
- https://github.com/uglory-gll/javasec/blob/main/paicoding.md#21userhomeuserid1homeselecttyperead-view-browsing-history-of-others
