CVE-2025-65278 – An unauthenticated information disclosure vulne... (How to Fix)

Q: What is the severity of CVE-2025-65278?

CVE-2025-65278 has a CVSS score of 7.5 (HIGH). An unauthenticated information disclosure vulnerability in GroceryMart's users.json file exposes plaintext credentials. Attackers can access usernames and passwords without authentication. This affects GroceryMart deployments using the vulnerable commit.

📋 TL;DR

An unauthenticated information disclosure vulnerability in GroceryMart's users.json file exposes plaintext credentials. Attackers can access usernames and passwords without authentication. This affects GroceryMart deployments using the vulnerable commit.

💻 Affected Systems

Products:

GroceryMart

Versions: Commit 21934e6 (2020-10-23) and potentially earlier versions

Operating Systems: All platforms running GroceryMart

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the users.json file which appears to be part of the application's data storage.

📦 What is this software?

Grocerymart by Komal97

View all CVEs affecting Grocerymart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete credential compromise leading to account takeover, data theft, and lateral movement within the system.

🟠

Likely Case

Credential harvesting enabling unauthorized access to user accounts and potential data exposure.

🟢

If Mitigated

Limited impact if proper access controls and credential rotation are implemented.

🌐 Internet-Facing: HIGH - Unauthenticated access to sensitive files makes this easily exploitable from the internet.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The GitHub gist demonstrates the vulnerability. Exploitation requires direct access to the users.json file path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None provided

Restart Required: No

Instructions:

1. Check for updated GroceryMart versions. 2. If no patch exists, implement workarounds. 3. Remove or secure the users.json file.

🔧 Temporary Workarounds

Restrict File Access

linux

Set proper file permissions to prevent unauthorized access to users.json

chmod 600 users.json
chown root:root users.json

Web Server Configuration

all

Block access to sensitive files via web server configuration

location ~* \.json$ { deny all; }

🧯 If You Can't Patch

Implement network segmentation to restrict access to the GroceryMart instance
Enable strong authentication mechanisms and rotate all exposed credentials immediately

🔍 How to Verify

Check if Vulnerable:

Attempt to access /path/to/users.json from an unauthenticated session. If the file returns user data, the system is vulnerable.

Check Version:

Check GroceryMart commit hash or version file if available

Verify Fix Applied:

Verify that accessing users.json returns a 403/404 error or requires authentication.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to users.json file
Multiple failed authentication attempts followed by successful logins

Network Indicators:

HTTP GET requests to users.json from unauthorized IPs
Unusual outbound traffic after accessing the file

SIEM Query:

source="web_server" AND (uri="*users.json" OR uri="*.json") AND status=200

📊 Metadata

CVE ID: CVE-2025-65278

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.03% exploit probability (8.8th percentile)

Published: November 26, 2025

Last Updated: December 30, 2025

🔗 References

https://gist.github.com/whoisrushi/7e8d15c85221e3f708b7b480e04ab6ca Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65278, you might also want to check these: