CVE-2025-61777
📋 TL;DR
Flag Forge CTF platform versions 2.0.0 through 2.3.1 have unauthenticated API endpoints that allow unauthorized users to view all badge templates with sensitive metadata and create arbitrary badge templates. This affects any organization running vulnerable versions of Flag Forge, potentially exposing internal data and allowing database pollution.
💻 Affected Systems
- Flag Forge CTF Platform
📦 What is this software?
Flagforge by Flagforge
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers could retrieve sensitive badge metadata (creator info, timestamps) and flood the database with malicious badge templates, disrupting CTF operations and exposing internal organizational data.
Likely Case
Unauthorized users accessing badge templates to gather intelligence about CTF organizers and participants, or creating nuisance badge entries that require manual cleanup.
If Mitigated
With proper authentication and authorization controls, only authorized administrators can access or modify badge templates, preventing unauthorized data access or modification.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoints. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.2
Vendor Advisory: https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-26rx-c53q-rjf9
Restart Required: Yes
Instructions:
1. Backup your Flag Forge database and configuration. 2. Update to version 2.3.2 or later using your package manager or by downloading from GitHub. 3. Restart the Flag Forge service. 4. Verify authentication is required for badge template endpoints.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to Flag Forge API endpoints using firewall rules or network segmentation
🧯 If You Can't Patch
- Implement reverse proxy with authentication requirements for /api/admin/ endpoints
- Monitor and alert on unauthorized access attempts to badge template endpoints
🔍 How to Verify
Check if Vulnerable:
Attempt unauthenticated GET request to /api/admin/badge-templates endpoint. If it returns badge data without authentication, system is vulnerable.Check Version:
Check Flag Forge version in admin panel or run: node -e "console.log(require('./package.json').version)" from Flag Forge directoryVerify Fix Applied:
Attempt unauthenticated GET request to /api/admin/badge-templates endpoint. Should return 401 Unauthorized or redirect to login.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /api/admin/badge-templates
- Multiple badge template creation events from non-admin users
- 401 errors followed by successful 200 responses on admin endpoints
Network Indicators:
- HTTP GET/POST requests to /api/admin/badge-templates without authentication headers
- Unusual traffic patterns to badge template endpoints
SIEM Query:
source="flagforge" AND (uri_path="/api/admin/badge-templates" OR uri_path="/api/admin/badge-templates/create") AND NOT (user_role="admin" OR auth_status="success")