CVE-2025-8794
BaseFortify
Publication date: 2025-08-10
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| litmuschaos | litmus | to 3.19.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in LitmusChaos up to version 3.19.0 allows an authenticated user to manipulate the projectID stored in the browser's LocalStorage to bypass authorization controls. Because the system does not properly validate project ownership on the backend, changing the projectID lets the attacker gain unauthorized owner-level access to projects they do not own. This improper design places critical access control on the client side instead of securely enforcing it on the server side. [1, 2]
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to unauthorized access to projects, allowing an attacker to perform privileged actions such as editing configurations, deleting resources, or inviting users on projects they do not own. This results in breaches of confidentiality, integrity, and availability of the affected projects. The vulnerability is easy to exploit with local access, and no mitigation or patch is currently available. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking for unauthorized manipulation of the projectID stored in the browser's LocalStorage by authenticated users. Since the vulnerability arises from client-side modification of projectID without proper backend validation, monitoring LocalStorage values for projectID changes or unusual access patterns to project resources may help. Additionally, reviewing logs for unauthorized owner-level actions on projects can indicate exploitation. There is a publicly available proof-of-concept exploit on GitHub which can be used to test if the system is vulnerable. Specific commands are not provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Currently, no patches or vendor mitigations are available. Immediate steps include restricting local access to trusted users only, monitoring for suspicious activity related to projectID manipulation, and considering replacing the affected LitmusChaos component with an alternative product. Since the vulnerability stems from improper client-side authorization, enforcing strict server-side authorization checks is recommended as a long-term fix. Until a patch is released, limiting exposure and access is the best mitigation. [2]