CVE-2025-59843 – Flag Forge CTF platform versions 2.0.0 through ... (How to Fix)

Q: What is the severity of CVE-2025-59843?

CVE-2025-59843 has a CVSS score of 5.3 (MEDIUM). Flag Forge CTF platform versions 2.0.0 through 2.3.1 expose user email addresses through a public API endpoint. This vulnerability allows unauthenticated attackers to harvest email addresses of registered users. All users of affected versions are impacted by this privacy violation.

📋 TL;DR

Flag Forge CTF platform versions 2.0.0 through 2.3.1 expose user email addresses through a public API endpoint. This vulnerability allows unauthenticated attackers to harvest email addresses of registered users. All users of affected versions are impacted by this privacy violation.

💻 Affected Systems

Products:

Flag Forge CTF platform

Versions: 2.0.0 through 2.3.1

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with the affected versions are vulnerable by default. The /api/user/[username] endpoint is publicly accessible.

📦 What is this software?

Flagforge by Flagforge

View all CVEs affecting Flagforge →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass email harvesting leading to targeted phishing campaigns, spam lists, or identity correlation attacks against CTF participants.

🟠

Likely Case

Email addresses collected for spam lists or targeted phishing against CTF community members.

🟢

If Mitigated

Limited impact if email addresses are already public or disposable, but still violates privacy expectations.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP GET requests to the vulnerable endpoint. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.2

Vendor Advisory: https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-qqjv-8r5p-7xpj

Restart Required: No

Instructions:

1. Backup your Flag Forge instance. 2. Update to version 2.3.2 or later using your deployment method. 3. Verify the fix by checking that /api/user/[username] no longer returns email addresses.

🔧 Temporary Workarounds

No workarounds available

all

The vendor advisory states there are no workarounds for this vulnerability.

🧯 If You Can't Patch

Implement web application firewall rules to block access to /api/user/* endpoints
Monitor API logs for unusual patterns of requests to user endpoints

🔍 How to Verify

Check if Vulnerable:

Make a GET request to /api/user/[any_username] on your Flag Forge instance. If the JSON response contains an 'email' field with data, the system is vulnerable.

Check Version:

Check the Flag Forge admin interface or deployment configuration for version information.

Verify Fix Applied:

After updating to 2.3.2+, make the same GET request. The response should not contain email addresses in the JSON output.

📡 Detection & Monitoring

Log Indicators:

High volume of GET requests to /api/user/* endpoints
Requests from unusual IP addresses to user API

Network Indicators:

Patterns of sequential username enumeration in API requests

SIEM Query:

source="flagforge" AND uri_path="/api/user/*" AND http_method="GET" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-59843

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-359

EPSS Score: 0.06% exploit probability (17.3th percentile)

Published: September 26, 2025

Last Updated: January 29, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59843, you might also want to check these: