CVE-2025-8756
BaseFortify
Publication date: 2025-08-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tduckcloud | tduck-platform | to 5.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8756 is a critical improper authorization vulnerability in the tduck-platform up to version 5.1. It affects the preHandle function in the AuthorizationInterceptor component for the /manage/ path. The vulnerability allows an attacker with a normal user account to bypass authorization checks and gain unauthorized access to sensitive management APIs that should only be accessible by administrators. This bypass is possible because the authorization check does not properly handle path normalization or sanitization, allowing attackers to use crafted request URIs (such as injecting a semicolon) to evade the check and access restricted resources remotely. [1, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with a normal user account to escalate their privileges and access sensitive management APIs that are intended only for administrators. This unauthorized access can compromise the confidentiality, integrity, and availability of the system by allowing attackers to perform administrative actions remotely without proper authorization. Since the exploit is publicly available and easy to execute, it poses a significant security risk. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the management API endpoints under the /manage/ path with and without a semicolon injection in the URI. For example, as a normal user, try accessing a management API endpoint like http://<host>:<port>/manage/user/1 which should fail, then try http://<host>:<port>/manage;/user/1 which may bypass authorization if vulnerable. Network monitoring tools can also be used to detect requests containing semicolon injections in the URI targeting /manage/ endpoints. Example curl commands to test this are: curl -i -b cookie.txt http://<host>:<port>/manage/user/1 curl -i -b cookie.txt http://<host>:<port>/manage;/user/1 where cookie.txt contains authentication cookies for a normal user account. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /manage/ endpoints to trusted administrators only, possibly via network-level controls such as firewall rules or VPN access. Since no known countermeasures or patches are currently available, it is recommended to avoid using the affected tduck-platform versions up to 5.1 and consider replacing the product with an alternative. Monitoring and blocking requests with suspicious URI patterns such as semicolon injections can also help reduce risk. [2, 3]