CVE-2025-55165
BaseFortify
Publication date: 2025-08-12
Last updated on: 2025-08-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gelbphoenix | autocaliweb | 0.8.1 |
| gelbphoenix | autocaliweb | 0.8.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Autocaliweb versions prior to 0.8.3, where the debug pack generated by the application can expose sensitive configuration data, including API keys. The issue arises because the to_dict() method used to serialize configuration data for the debug pack does not properly filter out sensitive fields such as API tokens. As a result, users might unknowingly share debug packs containing private API keys, leading to unintended information disclosure.
How can this vulnerability impact me? :
The vulnerability can lead to the exposure of sensitive information like API keys if users share debug packs generated by Autocaliweb. This exposure can allow unauthorized parties to access protected resources or services using the leaked API keys, potentially resulting in data breaches, unauthorized actions, or service disruptions.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Autocaliweb to version 0.8.3 or later, as this version patches the vulnerability by properly filtering sensitive fields in the debug pack serialization process. Additionally, avoid sharing debug packs generated by versions prior to 0.8.3 to prevent accidental exposure of sensitive configuration data such as API keys.