CVE-2025-55165
📋 TL;DR
Autocaliweb versions before 0.8.3 expose sensitive configuration data including API keys in debug packs. The to_dict() method fails to filter sensitive fields, allowing users who share debug packs to inadvertently leak private credentials. This affects all Autocaliweb users running vulnerable versions.
💻 Affected Systems
- Autocaliweb
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
API keys are exposed, leading to unauthorized access to external services, data exfiltration, and potential account takeover.
Likely Case
Users unintentionally share debug packs containing API keys, resulting in credential exposure and potential misuse.
If Mitigated
Limited impact if debug packs are never generated or shared, but risk remains for users who create them.
🎯 Exploit Status
Exploitation requires user to generate and share debug packs; no authentication bypass needed for the vulnerability itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.3
Vendor Advisory: https://github.com/gelbphoenix/autocaliweb/security/advisories/GHSA-44vp-wgh9-9535
Restart Required: Yes
Instructions:
1. Backup your Calibre database and configuration. 2. Stop Autocaliweb service. 3. Update to version 0.8.3 via package manager or manual installation. 4. Restart Autocaliweb service. 5. Verify version is 0.8.3 or higher.
🔧 Temporary Workarounds
Disable debug pack generation
allPrevent creation of debug packs that contain sensitive data
Modify configuration to disable debug functionality or restrict access to debug endpoints
Manual configuration filtering
allManually remove sensitive fields from configuration before sharing debug packs
Edit debug pack files to remove API keys and sensitive configuration sections
🧯 If You Can't Patch
- Do not generate or share debug packs
- Monitor for unauthorized API key usage and rotate exposed keys immediately
🔍 How to Verify
Check if Vulnerable:
Check if Autocaliweb version is below 0.8.3 and if debug pack functionality is enabledCheck Version:
Check Autocaliweb version in web interface or configuration filesVerify Fix Applied:
Confirm version is 0.8.3 or higher and test that debug packs no longer contain API keys📡 Detection & Monitoring
Log Indicators:
- Debug pack generation logs
- Configuration serialization events
Network Indicators:
- Downloads of debug pack files
- Unusual API key usage patterns
SIEM Query:
Search for debug pack file creation events or configuration serialization in application logs🔗 References
- https://github.com/gelbphoenix/autocaliweb/commit/f455051f7c758ae8490186718b73e449f353b702
- https://github.com/gelbphoenix/autocaliweb/releases/tag/v0.8.3
- https://github.com/gelbphoenix/autocaliweb/security/advisories/GHSA-44vp-wgh9-9535
- https://github.com/gelbphoenix/autocaliweb/security/advisories/GHSA-44vp-wgh9-9535
