CVE-2025-8796
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-10

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/delete_project/ of the component Delete Request Handler. The manipulation of the argument projectID leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-10
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-08-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8796
EUVD
EUVD-2025-24076
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
litmuschaos litmus to 3.19.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-8796 is a vulnerability in LitmusChaos Litmus up to version 3.19.0 where the Delete Request Handler does not properly check authorization when processing delete requests for projects. Specifically, any authenticated user can delete projects owned by other users by manipulating the projectID parameter in the /auth/delete_project/ endpoint. This means that the system allows unauthorized deletion of projects without verifying if the user has permission to do so. [1, 2]


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized deletion of projects by any authenticated user, resulting in permanent loss of critical data and disruption of service. It impacts the integrity and availability of the system, as malicious users can delete projects they do not own, potentially causing significant operational and data loss issues. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unauthorized DELETE requests to the /auth/delete_project/ endpoint with a projectID parameter. Since the exploit involves sending crafted DELETE requests with arbitrary projectIDs, network or application logs should be inspected for unusual or unauthorized DELETE requests to this endpoint. Specific commands depend on your environment, but for example, using curl to test the endpoint with different projectIDs can help verify if authorization checks are missing: curl -X DELETE https://<target>/auth/delete_project/?projectID=<id> -H "Authorization: Bearer <token>". Additionally, monitoring web server or application logs for DELETE requests to /auth/delete_project/ can help detect exploitation attempts. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the /auth/delete_project/ endpoint to trusted users only, implementing additional authorization checks at the application or network level (such as web application firewalls or API gateways) to block unauthorized DELETE requests, and monitoring for suspicious activity. Since no patches or vendor responses are available, consider replacing the affected LitmusChaos Litmus versions (up to 3.19.0) with a secure alternative or an updated version if available. Also, limit user privileges to minimize potential damage from exploitation. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart